Insecure Configuration Affecting ezsystems/ezplatform package, versions >=1.13.0, <1.13.5.1>=2.5.0, <2.5.4>=1.7.0, <1.7.9.1
Threat Intelligence
Snyk has a proof-of-concept or detailed explanation of how to exploit this vulnerability.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsSnyk Learn
Learn about Insecure Configuration vulnerabilities in an interactive lesson.
Start learning- Snyk IDSNYK-PHP-EZSYSTEMSEZPLATFORM-546868
- published6 Feb 2020
- disclosed6 Feb 2020
- creditSerhey Dolgushev
Introduced: 6 Feb 2020
CVE NOT AVAILABLE CWE-276 (opens in a new tab)How to fix?
Upgrade ezsystems/ezplatform to version 1.13.5.1, 2.5.4, 1.7.9.1 or higher.
Overview
ezsystems/ezplatform is a fully open source professional CMS (Content Management System) developed by eZ Systems and the eZ Community.
Affected versions of this package are vulnerable to Insecure Configuration. The recommended Apache/Nginx virtual host configuration for eZ Platform includes a rewrite rule for blocking access to executable files in the var directory. This rule does not work when using eZ Platform Cloud (i.e. running eZ Platform on the Platform.sh cloud service).
The consequence of this is that in such a setup, those executable files may be downloadable. They will not be executable, unless you have specifically configured platform.sh to allow that (which you really should not do). The severity of the download access is limited, but it's better if the platform.sh cloud setup works the same way as regular eZ Platform does. All platform.sh setups are affected.