This Security Advisory covers an issue related to image removal in the eZ Style Editor extension. An attacker may be able to delete any object, by knowing or guessing its node ID. This vulnerability can be exploited by anonymous users, and it is strongly recommended to install this patch as soon as possible.
We recommend that you disable this extension until you have installed this patch.
Patch available on Github (see link below).
A Security Update with the reference EZPESU-2012-004-EZSTYLEEDITOR1.x is available for eZ Publish Enterprise customers.
Credit
eZ Systems would like to thank Yann MICHARD at security consulting company OPPIDA for contributing information that led us to the discovery of this vulnerability.
Patch
https://github.com/ezsystems/ezstyleeditor/commit/19ca5cb77fbde32a2571db9e0b3046e46883a03f