CVE-2020-10806

CRITICAL

eZ Publish Kernel <5.4.14.1,6.x<6.13.6.2,7.x<7.5.6.2 - RCE

Title source: llm

Description

eZ Publish Kernel before 5.4.14.1, 6.x before 6.13.6.2, and 7.x before 7.5.6.2 and eZ Publish Legacy before 5.4.14.1, 2017 before 2017.12.7.2, and 2019 before 2019.03.4.2 allow remote attackers to execute arbitrary code by uploading PHP code, unless the vhost configuration permits only app.php execution.

References (1)

Core 1

Core References

Vendor Advisory x_refsource_misc

https://ezplatform.com/security-advisories/ezsa-2020-001-remote-code-execution-in-file-uploads

Scores

CVSS v3 9.8

EPSS 0.0283

EPSS Percentile 86.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-434

Status published

Products (4)

ez/ez_publish-kernel < 5.4.14.1

ez/ez_publish-legacy < 5.4.14.1

ezsystems/ezpublish-kernel 0 - 5.4.14.1Packagist

ezsystems/ezpublish-legacy 0 - 5.4.14.1Packagist

Published Mar 22, 2020

Tracked Since Feb 18, 2026