Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit 23bdcd68e1a3 · 2026-02-02T19:56:54.000Z
GHSA-mrvj-7q4f-5p42 GHSA-c737-jhwr-fqxj
diff --git a/advisories/github-reviewed/2021/03/GHSA-mrvj-7q4f-5p42/GHSA-mrvj-7q4f-5p42.json b/advisories/github-reviewed/2021/03/GHSA-mrvj-7q4f-5p42/GHSA-mrvj-7q4f-5p42.json
@@ -1,9 +1,11 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-mrvj-7q4f-5p42",
-  "modified": "2021-03-19T19:56:16Z",
+  "modified": "2026-02-02T19:55:39Z",
   "published": "2021-03-19T19:56:42Z",
-  "aliases": [],
+  "aliases": [
+    "CVE-2021-46875"
+  ],
   "summary": "Cross-site scripting in eZ Platform Kernel",
   "details": "### Impact\nIn file upload it is possible by certain means to upload files like .html and .js. These may contain XSS exploits which will be run when links to them are accessed by victims.\n\n### Patches\nThe fix consists simply of adding common types of scriptable file types to the configuration of the already existing filetype blacklist feature. See \"Patched versions\". As such, this can also be done manually, without installing the patched versions. This may be relevant if you are currently running a considerably older version of the kernel package and don't want to upgrade it at this time. Please see the settting \"ezsettings.default.io.file_storage.file_type_blacklist\" at:\nhttps://github.com/ezsystems/ezplatform-kernel/blob/master/eZ/Bundle/EzPublishCoreBundle/Resources/config/default_settings.yml#L109\n\n### Important note\nYou should adapt this setting to your needs. Do not add file types to the blacklist that you actually need to be able to upload. For instance, if you need your editors to be able to upload SVG files, then don't blacklist that. Instead, you could e.g. use an approval workflow for such content.",
   "severity": [],
@@ -102,10 +104,18 @@
       "type": "WEB",
       "url": "https://github.com/ezsystems/ezpublish-kernel/security/advisories/GHSA-mrvj-7q4f-5p42"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-46875"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/ezsystems/ezpublish-kernel/commit/29fecd2afe86f763510f10c02f14962d028f311b"
     },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/ezsystems/ezpublish-kernel"
+    },
     {
       "type": "WEB",
       "url": "https://packagist.org/packages/ezsystems/ezplatform-kernel#v1.2.5.1"
diff --git a/advisories/github-reviewed/2023/03/GHSA-c737-jhwr-fqxj/GHSA-c737-jhwr-fqxj.json b/advisories/github-reviewed/2023/03/GHSA-c737-jhwr-fqxj/GHSA-c737-jhwr-fqxj.json
@@ -1,13 +1,12 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-c737-jhwr-fqxj",
-  "modified": "2025-03-05T13:54:16Z",
+  "modified": "2026-02-02T19:55:34Z",
   "published": "2023-03-12T06:30:21Z",
-  "aliases": [
-    "CVE-2021-46875"
-  ],
-  "summary": "Cross Site Scripting in eZ Platform Ibexa Kernel",
-  "details": "## Impact\n\nIn file upload it is possible by certain means to upload files like .html and .js. These may contain XSS exploits which will be run when links to them are accessed by victims.\nPatches\n\n## Patches\n\nThe fix consists simply of adding common types of scriptable file types to the configuration of the already existing filetype blacklist feature. See \"Patched versions\". As such, this can also be done manually, without installing the patched versions. This may be relevant if you are currently running a considerably older version of the kernel package and don't want to upgrade it at this time. Please see the settting \"ezsettings.default.io.file_storage.file_type_blacklist\" at:\nhttps://github.com/ezsystems/ezplatform-kernel/blob/master/eZ/Bundle/EzPublishCoreBundle/Resources/config/default_settings.yml#L109\nImportant note\n\n## Important note\n\nYou should adapt this setting to your needs. Do not add file types to the blacklist that you actually need to be able to upload. For instance, if you need your editors to be able to upload SVG files, then don't blacklist that. Instead, you could e.g. use an approval workflow for such content.",
+  "withdrawn": "2026-02-02T19:55:34Z",
+  "aliases": [],
+  "summary": "Duplicate Advisory: Cross Site Scripting in eZ Platform Ibexa Kernel",
+  "details": "## Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-mrvj-7q4f-5p42. This link is maintained to preserve external references.\n\n## Original Description\n## Impact\n\nIn file upload it is possible by certain means to upload files like .html and .js. These may contain XSS exploits which will be run when links to them are accessed by victims.\nPatches\n\n## Patches\n\nThe fix consists simply of adding common types of scriptable file types to the configuration of the already existing filetype blacklist feature. See \"Patched versions\". As such, this can also be done manually, without installing the patched versions. This may be relevant if you are currently running a considerably older version of the kernel package and don't want to upgrade it at this time. Please see the settting \"ezsettings.default.io.file_storage.file_type_blacklist\" at:\nhttps://github.com/ezsystems/ezplatform-kernel/blob/master/eZ/Bundle/EzPublishCoreBundle/Resources/config/default_settings.yml#L109\nImportant note\n\n## Important note\n\nYou should adapt this setting to your needs. Do not add file types to the blacklist that you actually need to be able to upload. For instance, if you need your editors to be able to upload SVG files, then don't blacklist that. Instead, you could e.g. use an approval workflow for such content.",
   "severity": [
     {
       "type": "CVSS_V3",
