EZSA-2017-006: Information disclosure in backend content tree menu

September 11, 2017

If a view has been disabled in site.ini SiteAccessRules Rules, and an attacker accesses the backend with the URL to this module, then the tree menu may be displayed. Since the tree menu may contain hidden items, this may lead to information disclosure.

References

share.ez.no/community-project/security-advisories/ezsa-2017-006-information-disclosure-in-backend-content-tree-menu
github.com/ezsystems/ezpublish-legacy/commit/a4a0470f8d80f012fe14e4f8ab11c7d14375986c

Code Behaviors & Features

Detect and mitigate EZSA-2017-006 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →