N/A

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-9wwx-c723-vm8x

EPSS Score

CWE

CWE-200

Published

5/15/2024

Updated

5/15/2024

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-9wwx-c723-vm8x

GHSA-9wwx-c723-vm8x:
eZ Platform REST API returns list of all SiteAccesses

This security advisory fixes a vulnerability in eZ Platform, and we recommend that you install it as soon as possible. The issue is that the REST API may be made to disclose the names of all available site accesses. The severity of this depends on your installation, please consider your response accordingly.

To install, use Composer to update "ezsystems/ezpublish-kernel" to one of the "Resolving versions" mentioned above, or apply this patch manually: https://github.com/ezsystems/ezpublish-kernel/commit/1551723ec134878a4cb598bfc5d900ba6164117a

(GitHub Advisory)

N/A

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-9wwx-c723-vm8x

EPSS Score

CWE

CWE-200

Published

5/15/2024

Updated

5/15/2024

KEV Status

Technology

PHP

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
ezsystems/ezpublish-kernel	composer	>= 7.3.0, < 7.3.2.1	7.3.2.1
ezsystems/ezpublish-kernel	composer	>= 7.0.0, < 7.2.4.1	7.2.4.1
ezsystems/ezpublish-kernel	composer	>= 6.8.0, < 6.13.5.1	6.13.5.1
ezsystems/ezpublish-kernel	composer	>= 6.0.0, < 6.7.9.1	6.7.9.1
ezsystems/ezpublish-kernel	composer	>= 5.4.0, < 5.4.13.1	5.4.13.1
ezsystems/ezpublish-kernel	composer	>= 5.3.0, < 5.3.12.1	5.3.12.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from error messages disclosing all SiteAccess names when invalid input is provided. The patch introduces a debug flag to conditionally include this sensitive information. The core issue occurs in the exception-throwing functions:

Router::match() handles X-Siteaccess header validation and previously always included the SiteAccess list in error messages.
ConsoleCommandListener::onConsoleCommand() performed similar disclosure for CLI commands. Both functions passed the full SiteAccess list to InvalidSiteAccessException constructor without debug checks prior to the patch, making them the direct sources of information leakage.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T*is s**urity **visory *ix*s * vuln*r**ility in *Z Pl*t*orm, *n* w* r**omm*n* t**t you inst*ll it *s soon *s possi*l*. T** issu* is t**t t** R*ST *PI m*y ** m*** to *is*los* t** n*m*s o* *ll *v*il**l* sit* ****ss*s. T** s*v*rity o* t*is **p*n*s on yo

Reasoning

T** vuln*r**ility st*ms *rom *rror m*ss***s *is*losin* *ll Sit*****ss n*m*s w**n inv*li* input is provi***. T** p*t** intro*u**s * ***u* *l** to *on*ition*lly in*lu** t*is s*nsitiv* in*orm*tion. T** *or* issu* o**urs in t** *x**ption-t*rowin* *un*tio

N/A

Basic Information

Concerned about an active attack path?

GHSA-9wwx-c723-vm8x: eZ Platform REST API returns list of all SiteAccesses

N/A

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

GHSA-9wwx-c723-vm8x:
eZ Platform REST API returns list of all SiteAccesses

Vulnerability Intelligence
Miggo AI