This Security Advisory covers an issue related to block items in the eZ Flow extension. An attacker may be able to read protected content, and change the order of blocks, without having the right permissions. In order to exploit this, the attacker must have access to the eZ Flow functionality, which is usually a privilege only given to content contributors.
Patch available on Github (see link below).
A Security Update with the reference EZPESU-2012-005-EZFLOW2.x is available for eZ Publish Enterprise customers.
Credit
eZ Systems would like to thank Yann MICHARD at security consulting company OPPIDA for contributing information that led us to the discovery of this vulnerability.
Patch
https://github.com/ezsystems/ezflow/commit/8b7d5bd340ce36ade0cf3fb6126b4f5a82d81c41
