Name of the Vulnerable Software and Affected Versions: eZ Platform and eZ Publish Legacy (affected versions not specified)

Description: The issue concerns a vulnerability in the way eZ Platform and eZ Publish Legacy handle file uploads, potentially leading to remote code execution (RCE) if an attacker has access to uploading files. However, the vulnerability cannot be exploited if the recommended vhost configuration is used, which specifies that only the file app.php in the web root is executed. The built-in webserver in PHP remains vulnerable as it does not use this type of configuration. The estimated number of potentially affected devices worldwide is not available. There is no information about real-world incidents where this issue was exploited.

Recommendations: For eZ Platform and eZ Publish Legacy, consider implementing the recommended vhost configuration to prevent exploitation. As a temporary workaround, consider using the blacklist feature for uploaded filenames, such as ".php", to prevent uploading of potentially malicious files. Restrict access to file uploads to trusted users to minimize the risk of exploitation. Update the configuration to include the new block against path traversal attacks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.