Insecure Configuration Affecting ezsystems/ezplatform package, versions >=1.13.0, <1.13.5.1 >=2.5.0, <2.5.4 >=1.7.0, <1.7.9.1
Snyk CVSS
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PHP-EZSYSTEMSEZPLATFORM-546868
- published 6 Feb 2020
- disclosed 6 Feb 2020
- credit Serhey Dolgushev
How to fix?
Upgrade ezsystems/ezplatform to version 1.13.5.1, 2.5.4, 1.7.9.1 or higher.
Overview
ezsystems/ezplatform is a fully open source professional CMS (Content Management System) developed by eZ Systems and the eZ Community.
Affected versions of this package are vulnerable to Insecure Configuration. The recommended Apache/Nginx virtual host configuration for eZ Platform includes a rewrite rule for blocking access to executable files in the var directory. This rule does not work when using eZ Platform Cloud (i.e. running eZ Platform on the Platform.sh cloud service).
The consequence of this is that in such a setup, those executable files may be downloadable. They will not be executable, unless you have specifically configured platform.sh to allow that (which you really should not do). The severity of the download access is limited, but it's better if the platform.sh cloud setup works the same way as regular eZ Platform does. All platform.sh setups are affected.