This Security Update fixes a cross site scripting (XSS) vulnerability where an attacker could insert JavaScript commands into POST parameters of the login template. The update ensures that such commands cannot be executed. We strongly recommend that you install this Security Update as soon as possible. If your web site has template overrides for login.tpl, please note it is mandatory to use the "wash" template operator on $postData:key and $postData:item, i.e. the usage should look like this: Please also note that this fix is released as three independent updates, for different parts of eZ Publish and extensions.
Patches
eZ Publish: https://github.com/ezsystems/ezpublish-legacy/commit/d5a5a482f9a429a3bb01827db6a5b3c30b0e9192
eZ Webin: https://github.com/ezsystems/ezwebin/commit/099b42a8a77206c233756a3475c234d720c9a85b
eZ Demo: https://github.com/ezsystems/ezdemo/commit/6d36d12d64d6ee5115eb5053478ea6a080f565a6
