eZ Publish Cross-Site Scripting Vulnerability
Purplemet Lab team discovered a cross-site scripting (XSS) vulnerability in eZ Publish 5.4. This version embeds an outdated third party component named VideoJS (version 3.2.0) which provides video-js.swf, a Flash file vulnerable to a cross-site scripting. The vulnerable component is bundled in eZ Publish extensions DemoBundle, ezdemo and ezdemo-ls-extension.
Update to DemoBundle v188.8.131.52, ezdemo v184.108.40.206, ezdemo-ls-extension v220.127.116.11 or latest version.
Proof of concept
The vulnerability can be triggered using the following URL:
See EZSA-2020-003 security advisory.
Purplemet technology detection
Purplemet detects eZ Publish and VideoJS with version.