Deserialization of Untrusted Data
Affecting ezsystems/ezpublish-legacy package, versions >=5.4.0, <220.127.116.11 || >=5.3.0, <18.104.22.168 || >=2011.0.0, <2017.12.4.3 || >=2018.6.0, <2018.6.1.4 || >=2018.9.0, <2018.9.1.3
ezsystems/ezpublish-legacy is a professional PHP application framework with advanced CMS (content management system) functionality.
Affected versions of this package are vulnerable to Deserialization of Untrusted Data. PHAR archives may be crafted such that its stream wrapper will execute them without being specifically asked to. With such files, any PHP file operation may cause deserialisation and execution.
ezsystems/ezpublish-legacy to versions 22.214.171.124, 126.96.36.199, 2018.9.1.3, 2018.6.1.4 or higher.
Do your applications use this vulnerable package?
- Snyk ID
- 26 Nov, 2018
- 29 Nov, 2018