We found results for “


Good to know:


Date: October 6, 2020

Object Injection was found in legacy shop module (ezsystems/ezpublish-legacy) before versions v2019.03.5.1, v2017.12.7.3, and v5.4.14.2. A backend editor could perform object injection in discount rules. This would require backend access and permission to edit discount rules. While object injection in itself is a serious vulnerability, the permission requirement means that normally only administrators would be able to exploit it, that's why we've classified it as Medium severity.

Language: PHP

Severity Score

Severity Score

Top Fix


Upgrade Version

Upgrade to version v2019.03.5.1, v2017.12.7.3, v5.4.14.2

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): HIGH
Privilegs Required (PR): HIGH
User Interaction (UI): NONE
Confidentiality (C): HIGH
Integrity (I): HIGH
Availability (A): HIGH

Do you need more information?

Contact Us