GHSA-58h5-h554-429q

Suggest an improvement
Source
https://github.com/advisories/GHSA-58h5-h554-429q
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-58h5-h554-429q/GHSA-58h5-h554-429q.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-58h5-h554-429q
Published
2022-11-10T21:42:09Z
Modified
2024-12-02T05:37:32.004963Z
Summary
ezplatform-admin-ui vulnerable to Cross-Site Scripting (XSS)
Details

It is possible to inject JavaScript XSS in the content type entries "name" and "short name". To exploit this, one must already have permission to edit content types, which limits it in many cases to people who are already administrators. However, please verify which users have this permission. The fix ensures any injections are escaped.

Database specific
{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-79"
    ],
    "severity": "CRITICAL",
    "github_reviewed": true,
    "github_reviewed_at": "2022-11-10T21:42:09Z"
}
References

Affected packages

Packagist / ezsystems/ezplatform-admin-ui

Package

Name
ezsystems/ezplatform-admin-ui
Purl
pkg:composer/ezsystems/ezplatform-admin-ui

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.3.0
Fixed
2.3.26

Affected versions

v2.*

v2.3.0
v2.3.1
v2.3.2
v2.3.3
v2.3.4
v2.3.5
v2.3.6
v2.3.7
v2.3.8
v2.3.9
v2.3.10
v2.3.11
v2.3.12
v2.3.13
v2.3.14
v2.3.15
v2.3.16
v2.3.17
v2.3.18
v2.3.19
v2.3.20
v2.3.21
v2.3.22
v2.3.23
v2.3.24
v2.3.25