Home > Vulnerability Database > WS-2022-0385

Mend.io Vulnerability Database

WS-2022-0385

Good to know:

Date: November 10, 2022

In ezpublish-kernel up to 7.5.29, users with the Company admin role (introduced by the company account feature in v4) can assign any role to any user. This also applies to any other user that has the role / assign policy. Any subtree limitation in place does not have any effect. Version 7.5.30 ensures that subtree limitations are working as intended.

Language: PHP

Severity Score

5.4

Related Resources (2)

Url: https://github.com/ezsystems/ezpublish-kernel/commit/957e67a08af2b3265753f9763943e8225ed779ab

Url: https://www.mend.io/vulnerability-database/WS-2022-0385

Severity Score

5.4

Weakness Type (CWE)

Improper Privilege Management

CWE-269

Top Fix

Upgrade Version

Upgrade to version v7.5.30

Learn More

CVSS v3.1

Base Score:	5.4
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	LOW
Availability (A):	LOW

Mend.io Vulnerability Database

We found results for “”

WS-2022-0385

Good to know:

Date: November 10, 2022

Language: PHP

Severity Score

Related Resources (2)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?