This Security Update fixes a cross site scripting (XSS) vulnerability where an attacker could insert JavaScript commands into the ViewMode parameter of the Browse view. The update ensures that such commands cannot be executed. We strongly recommend that you install this Security Update as soon as possible. If your web site has a template override for browse.tpl, please note it is mandatory to use the "wash" template operator on the "{$cancel_action}", i.e. it should read "". Please also note that this fix is released as four independent updates, for different parts of eZ Publish and extensions.
Patches
eZ Publish: https://github.com/ezsystems/ezpublish-legacy/commit/cae73336555934968ec3fcaf987094075424c4fa
eZ Webin: https://github.com/ezsystems/ezwebin/commit/4c2ffdc51d0a30c43e6eb723ce89156829b68c92
eZ Demo: https://github.com/ezsystems/ezdemo/commit/233bff1b4910fcc7e6cbffdd0b03f2c3cc26e5c1
eZ XMLExport: https://github.com/ezsystems/ezxmlexport/commit/df26c3915fd582bddaf9ca6a488efe6972cf60bc
