nvd-json-data-feeds/CVE-2020/CVE-2020-108xx/CVE-2020-10806.json

{
  "id": "CVE-2020-10806",
  "sourceIdentifier": "cve@mitre.org",
  "published": "2020-03-22T16:15:12.307",
  "lastModified": "2024-11-21T04:56:06.587",
  "vulnStatus": "Modified",
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "eZ Publish Kernel before 5.4.14.1, 6.x before 6.13.6.2, and 7.x before 7.5.6.2 and eZ Publish Legacy before 5.4.14.1, 2017 before 2017.12.7.2, and 2019 before 2019.03.4.2 allow remote attackers to execute arbitrary code by uploading PHP code, unless the vhost configuration permits only app.php execution."
    },
    {
      "lang": "es",
      "value": "eZ Publish Kernel versiones anteriores a 5.4.14.1, versiones 6.x anteriores a 6.13.6.2 y versiones 7.x anteriores a 7.5.6.2 y eZ Publish Legacy versiones anteriores a 5.4.14.1, versiones 2017 anteriores a 2017.12.7.2 y versiones 2019 anteriores a 2019.03.4.2, permiten a atacantes remotos ejecutar c\u00f3digo arbitrario cargando c\u00f3digo PHP, a menos que la configuraci\u00f3n del vhost permita solo una ejecuci\u00f3n del archivo app.php."
    }
  ],
  "metrics": {
    "cvssMetricV31": [
      {
        "source": "nvd@nist.gov",
        "type": "Primary",
        "cvssData": {
          "version": "3.1",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "attackVector": "NETWORK",
          "attackComplexity": "LOW",
          "privilegesRequired": "NONE",
          "userInteraction": "NONE",
          "scope": "UNCHANGED",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "availabilityImpact": "HIGH"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9
      }
    ],
    "cvssMetricV2": [
      {
        "source": "nvd@nist.gov",
        "type": "Primary",
        "cvssData": {
          "version": "2.0",
          "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
          "baseScore": 7.5,
          "accessVector": "NETWORK",
          "accessComplexity": "LOW",
          "authentication": "NONE",
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "availabilityImpact": "PARTIAL"
        },
        "baseSeverity": "HIGH",
        "exploitabilityScore": 10.0,
        "impactScore": 6.4,
        "acInsufInfo": false,
        "obtainAllPrivilege": false,
        "obtainUserPrivilege": false,
        "obtainOtherPrivilege": false,
        "userInteractionRequired": false
      }
    ]
  },
  "weaknesses": [
    {
      "source": "nvd@nist.gov",
      "type": "Primary",
      "description": [
        {
          "lang": "en",
          "value": "CWE-434"
        }
      ]
    }
  ],
  "configurations": [
    {
      "nodes": [
        {
          "operator": "OR",
          "negate": false,
          "cpeMatch": [
            {
              "vulnerable": true,
              "criteria": "cpe:2.3:a:ez:ez_publish-kernel:*:*:*:*:*:*:*:*",
              "versionEndExcluding": "5.4.14.1",
              "matchCriteriaId": "EFB83619-2C1B-438F-9606-0E6F1EE5E7AA"
            },
            {
              "vulnerable": true,
              "criteria": "cpe:2.3:a:ez:ez_publish-kernel:*:*:*:*:*:*:*:*",
              "versionStartIncluding": "6.0.0",
              "versionEndExcluding": "6.13.6.2",
              "matchCriteriaId": "374C9F64-6C40-48D9-A8F4-A150B203675C"
            },
            {
              "vulnerable": true,
              "criteria": "cpe:2.3:a:ez:ez_publish-kernel:*:*:*:*:*:*:*:*",
              "versionStartIncluding": "7.0.0",
              "versionEndExcluding": "7.5.6.2",
              "matchCriteriaId": "8B7E98AE-3AC5-4A96-ACE6-027F0087A79E"
            },
            {
              "vulnerable": true,
              "criteria": "cpe:2.3:a:ez:ez_publish-legacy:*:*:*:*:*:*:*:*",
              "versionEndExcluding": "5.4.14.1",
              "matchCriteriaId": "EB9396C8-317A-4167-99A8-D8ED8562A381"
            },
            {
              "vulnerable": true,
              "criteria": "cpe:2.3:a:ez:ez_publish-legacy:*:*:*:*:*:*:*:*",
              "versionStartIncluding": "2017.0",
              "versionEndExcluding": "2017.12.7.2",
              "matchCriteriaId": "0F5B8064-99D2-4391-83D4-8041E8046948"
            },
            {
              "vulnerable": true,
              "criteria": "cpe:2.3:a:ez:ez_publish-legacy:*:*:*:*:*:*:*:*",
              "versionStartIncluding": "2019.0",
              "versionEndExcluding": "2019.03.4.2",
              "matchCriteriaId": "6612C69D-6AA0-48F8-BB57-E47A0A0F80F0"
            }
          ]
        }
      ]
    }
  ],
  "references": [
    {
      "url": "https://ezplatform.com/security-advisories/ezsa-2020-001-remote-code-execution-in-file-uploads",
      "source": "cve@mitre.org",
      "tags": [
        "Vendor Advisory"
      ]
    },
    {
      "url": "https://ezplatform.com/security-advisories/ezsa-2020-001-remote-code-execution-in-file-uploads",
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ]
    }
  ]
}