eZ Publish eZ Flow Extension Security Bypass Vulnerability
Release Date : 2012-05-15
Criticality level : Less critical
Impact : Security Bypass
Where : From remote
Solution Status : Vendor Patch
Software: eZ Publish 4.x
A vulnerability has been reported in eZ Publish, which can be exploited by malicious users to bypass certain security restrictions.
The vulnerability is caused due to an error within the handling of block items in the eZ Flow extension and can be exploited to e.g. read protected content or change the order of blocks.
Successful exploitation requires access to the eZ Flow functionality.
The vulnerability is reported in eZ Flow extension versions 2.0, 2.1, 2.2, 2.3, and 2.4.
Provided and/or discovered by:
The vendor credits Yann Michard, Oppida.