This Security Advisory enhances a kernel function related to the changing of priority (a sort order criteria) in node lists in eZ Publish. It will provide another line of defense if the module calling this function fails to properly ensure that the user has the required permissions to execute this action.
Patch available on Github (see link below).
A Security Update with the reference EZPESU-2012-003-KERNEL4.x is available for eZ Publish Enterprise customers.
Credit
eZ Systems would like to thank Yann MICHARD at security consulting company OPPIDA for contributing information that led us to the discovery of this vulnerability.
Patch
https://github.com/ezsystems/ezpublish/commit/e3581bb065a31d29bdc41bdba9e81abe26d8f352