CVE-2020-10806

moderate-risk
Published 2020-03-22

eZ Publish Kernel before 5.4.14.1, 6.x before 6.13.6.2, and 7.x before 7.5.6.2 and eZ Publish Legacy before 5.4.14.1, 2017 before 2017.12.7.2, and 2019 before 2019.03.4.2 allow remote attackers to execute arbitrary code by uploading PHP code, unless the vhost configuration permits only app.php execution.

Do I need to act?

~
2.8% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
+
Fix available
Upgrade to: 0ec4ce5265a289cf72ebe4629ca2ccbc84cb4176, 296628934d22c427d97ad49f7b12149b51b5c4d2, 5b398c582315141a50ea25044649997831fac4f4, 089617a2e2461d49b795a4104e0c7667fb0a4b94
9
CVSS 9.8/10 Critical
NETWORK / LOW complexity

Affected Products (2)

Ez Publish-Kernel
Ez Publish-Legacy

Affected Vendors

Ez

References (2)

Vendor Advisory https://ezplatform.com/security-advisories/ezsa-2020-001-remote-code-execution-i...
Vendor Advisory https://ezplatform.com/security-advisories/ezsa-2020-001-remote-code-execution-i...
45
/ 100
moderate-risk
Severity 32/34 · Critical
Exploitability 6/34 · Minimal
Exposure 7/34 · Low