Name of the Vulnerable Software and Affected Versions eZ Platform versions prior to 1.13.x with ezsystems/PlatformUIAssetsBundle version 4.2.3 eZ Platform version 2.5.13 with ezsystems/ezplatform-admin-ui-assets version 4.2.1 eZ Platform version 3.0.* with ezsystems/ezplatform-admin-ui-assets version 5.0.1 eZ Platform version 3.1.2 with ezsystems/ezplatform-admin-ui-assets version 5.1.1 eZ Platform EE version 2.5.13 with ezsystems/ezplatform-workflow version 1.1.9 eZ Platform EE version 3.1.2 with ezsystems/ezplatform-workflow version 2.1.1

Description There is an issue with CKEditor used in eZ Platform Admin UI, where scripts can be injected through specially crafted "protected" comments, potentially leading to an XSS issue. Additionally, drafts sent to trash become visible in the Review Queue, displaying their title and review history, even to users who were not able to see them before. This affects the Enterprise Edition.

Recommendations For eZ Platform versions prior to 1.13.x, update ezsystems/PlatformUIAssetsBundle to version 4.2.3 or later. For eZ Platform version 2.5.13, update ezsystems/ezplatform-admin-ui-assets to version 4.2.1 or later. For eZ Platform version 3.0.*, update ezsystems/ezplatform-admin-ui-assets to version 5.0.1 or later. For eZ Platform version 3.1.2, update ezsystems/ezplatform-admin-ui-assets to version 5.1.1 or later. For eZ Platform EE version 2.5.13, update ezsystems/ezplatform-workflow to version 1.1.9 or later. For eZ Platform EE version 3.1.2, update ezsystems/ezplatform-workflow to version 2.1.1 or later.