This Security Advisory covers an issue with content fetching, which may allow a remote exploit, depending on eZ JS Core function access policy settings. In the worst case, which is also the default setting, an anonymous attacker may be able to extract the meta data and content of any content object in the database, including user objects. It also fixes a second issue, where an attacker can change node priority (a sort order criteria) in node lists, without having edit access to the node.
We recommend that you disable this extension until you have installed this patch.
Patch available on Github (see link below).
A Security Update with the reference EZPESU-2012-001-EZJSCORE1.x is available for eZ Publish Enterprise customers.
Patch
https://github.com/ezsystems/ezjscore/commit/de5503198ffa325a4a65fbc34d396bd0f2bfbec4
Credit
eZ Systems would like to thank Yann MICHARD at security consulting company OPPIDA for discovering and reporting this vulnerability.