Security advisory: IBEXA-SA-2020-006

Object Injection in legacy shop module
Publication date:
05/10/2020, 16:25


Affected versions: ezsystems/ezpublish-legacy v2019.03.5, v2017.12.7, v5.4.14
Resolving versions: ezsystems/ezpublish-legacy v2019.03.5.1, v2017.12.7.3, v5.4.14.2

This Security Advisory is about a vulnerability in the Legacy shop module. A backend editor could perform object injection in discount rules. This would require backend access and permission to edit discount rules. While object injection in itself is a serious vulnerability, the permission requirement means that normally only administrators would be able to exploit it, that's why we've classified it as Medium severity.

This security update is distributed via Composer, see "Resolving versions" above.

You'll notice that we've changed the codename for security advisories from EZSA-* to IBEXA-SA-*, to reflect our current company name.

Have you found a security bug in Ibexa DXP? See how to report it responsibly here:

All security advisories