Resources

eZ Publish Cross-Site Scripting Vulnerability

,

April 27, 2020

|

6

min read

Vulnerability

Purplemet Lab team discovered a cross-site scripting (XSS) vulnerability in eZ Publish 5.4. This version embeds an outdated third party component named VideoJS (version 3.2.0) which provides video-js.swf, a Flash file vulnerable to a cross-site scripting. The vulnerable component is bundled in eZ Publish extensions DemoBundle, ezdemo and ezdemo-ls-extension.

Solution

Update to DemoBundle v5.4.6.1, ezdemo v5.4.2.1, ezdemo-ls-extension v5.4.2.1 or latest version.

Proof of concept

The vulnerability can be triggered using the following URL:


                               http://ip//extension/ezdemo/design/ezdemo/flash/video-js.swf?readyFunction=alert('XSS')//
                           

Reference

See EZSA-2020-003 security advisory.

Purplemet technology detection

Purplemet detects eZ Publish and VideoJS with version.

Purplemet detection of eZ Publish and VideoJS

Continue reading

Product Updates

Purplemet Cloud 1.28.0 New Features

,

October 13, 2025

|

min read

Product Updates

Purplemet Cloud 1.26.0 New Features

,

June 9, 2025

|

min read

Product Updates

Purplemet Cloud 1.30.0 New Features

,

December 5, 2025

|

min read

Rejoignez plus de 100 entreprises. Reprenez le contrôle de votre surface d'attaque avec Purplemet

Purplemet
Planifier une démo
Obtenir une évaluation gratuite