This update fixes a security issue related to cross site scripting
(XSS) in eZ JS Core. When the ezjscore module is activated and the
ezjscnode service is accessible, an attacker can create a clickable
link consisting of an ezjscore RUN command and some javascript code.
When a Firefox user follows such a link, the javascript will be
executed with the user's access permissions. We strongly recommend
that you install the update as soon as possible.
Patch
https://github.com/ezsystems/ezjscore/commit/58854564c7b8672090c25c4b1677d08620d870f2
A Security Update with the reference EZPESU-2012-006-EZJSCORE1.x is available for eZ Publish Enterprise customers.
Credit
eZ Systems would like to thank Yann MICHARD at security consulting company OPPIDA for discovering and reporting this vulnerability.