This Security Advisory fixes an issue related to browsing for content objects, tagging, reading and editing in the eZ OE extension which is used by almost all eZ Publish installations. It may be possible to extract meta information about content nodes, though not the content itself, without having read access to them. In order to exploit this, the attacker must have access to the eZ Online Editor functionality, which is usually a privilege only given to content contributors.
Patch available on Github (see link below).
A Security Update with the reference EZPESU-2012-002-EZOE5.x is available for eZ Publish Enterprise customers.
Patch
https://github.com/ezsystems/ezoe/commit/6521f3917c6f160b48012340550e39a2d53e0834
Credit
eZ Systems would like to thank Yann MICHARD at security consulting company OPPIDA for contributing information that led us to the discovery of this vulnerability.
