N/A

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-4c2w-v5rq-5mx7

EPSS Score

CWE

CWE-79

Published

5/15/2024

Updated

5/15/2024

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-4c2w-v5rq-5mx7

GHSA-4c2w-v5rq-5mx7: eZ Platform Editor Cross-site Scripting (XSS)

This Security Advisory is about two issues of low to medium severity. We recommend that you install the update as soon as possible.

There is an XSS vulnerability in CKEditor, which is used by AlloyEditor, which is used in eZ Platform Admin UI. Scripts can be injected through specially crafted "protected" comments. We are not sure it is exploitable in eZ Platform, but recommend installing it to be on the safe side. It is fixed in CKEditor v4.14, AlloyEditor v2.11.9. It is distributed via Composer, for:

eZ Platform v1.13.x: ezsystems/PlatformUIAssetsBundle v4.2.3 (included from ezsystems/PlatformUIBundle v1.13.x) eZ Platform v2.5.13: ezsystems/ezplatform-admin-ui-assets v4.2.1 eZ Platform v3.0.*: ezsystems/ezplatform-admin-ui-assets v5.0.1 eZ Platform v3.1.2: ezsystems/ezplatform-admin-ui-assets v5.1.1

Drafts that are sent to trash become visible in the Review Queue, even for users that were not able to see them before this action. It's not possible to preview them, but their title and review history is displayed. This affects Enterprise Edition only, of which ezplatform-workflow is a part. This security update is distributed via Composer, for

eZ Platform EE v2.5.13: ezsystems/ezplatform-workflow v1.1.9 eZ Platform EE v3.1.2: ezsystems/ezplatform-workflow v2.1.1

(GitHub Advisory)

N/A

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-4c2w-v5rq-5mx7

EPSS Score

CWE

CWE-79

Published

5/15/2024

Updated

5/15/2024

KEV Status

Technology

PHP

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
ezsystems/ezplatform-admin-ui-assets	composer	>= 4.2.0, < 4.2.1	4.2.1
ezsystems/ezplatform-admin-ui-assets	composer	>= 5.0.0, < 5.0.1	5.0.1
ezsystems/ezplatform-admin-ui-assets	composer	>= 5.1.0, < 5.1.1	5.1.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from outdated dependencies (CKEditor <4.14 and AlloyEditor <2.11.9) rather than specific functions in the ezplatform-admin-ui-assets package itself. The XSS vulnerability exists in how CKEditor/AlloyEditor processes 'protected' comments, but without access to specific code implementations in eZ Platform's integration or patch diffs, we cannot identify exact vulnerable functions in the listed PHP packages with high confidence. The primary mitigation was updating these third-party editor dependencies rather than modifying eZ Platform's own functions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T*is S**urity **visory is **out two issu*s o* low to m**ium s*v*rity. W* r**omm*n* t**t you inst*ll t** up**t* *s soon *s possi*l*. T**r* is *n XSS vuln*r**ility in *K**itor, w*i** is us** *y *lloy**itor, w*i** is us** in *Z Pl*t*orm **min UI. S*ri

Reasoning

T** vuln*r**ility st*ms *rom out**t** **p*n**n*i*s (*K**itor <*.** *n* *lloy**itor <*.**.*) r*t**r t**n sp**i*i* *un*tions in t** `*zpl*t*orm-**min-ui-*ss*ts` p**k*** its*l*. T** XSS vuln*r**ility *xists in *ow `*K**itor`/`*lloy**itor` pro**ss*s 'pro

N/A

Basic Information

Concerned about an active attack path?

GHSA-4c2w-v5rq-5mx7: eZ Platform Editor Cross-site Scripting (XSS)

N/A

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI