CVE-2020-10806: Unrestricted Upload of File with Dangerous Type

March 22, 2020 (updated March 25, 2020)

eZ Publish Legacy allow remote attackers to execute arbitrary code by uploading PHP code, unless the vhost configuration permits only app.php execution.

References

ezplatform.com/security-advisories/ezsa-2020-001-remote-code-execution-in-file-uploads
nvd.nist.gov/vuln/detail/CVE-2020-10806

Detect and mitigate CVE-2020-10806 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →