WS-2018-0213 | Mend Vulnerability Database

Vulnerability DatabaseWS-2018-0213

WS-2018-0213

Published:May 14, 2026

Updated:May 14, 2026

PHAR archives may be crafted such that their stream wrapper will execute them without being specifically asked to. With such files, any PHP file operation may cause deserialisation and execution.

Affected Packages

ezsystems/ezplatform (PHP):

Affected version(s) >=v1.7.8-rc2 <v1.7.8.1

Fix Suggestion:

Update to version v1.7.8.1

ezsystems/ezstudio (PHP):

Affected version(s) =v1.13.4-beta1 <v1.13.4-rc1

Fix Suggestion:

Update to version v1.13.4-rc1

ezsystems/ezplatform-ee-demo (PHP):

Affected version(s) =dev-ezee-2110 <dev-run-tests-on-ezp-31023

Fix Suggestion:

Update to version dev-run-tests-on-ezp-31023

ezsystems/ezplatform (PHP):

Affected version(s) >=v2.0.1 <v2.2.3.1

Fix Suggestion:

Update to version v2.2.3.1

ezsystems/ezplatform-demo (PHP):

Affected version(s) =v1.13.4 <v2.0.0-rc1

Fix Suggestion:

Update to version v2.0.0-rc1

ezsystems/ezplatform-demo (PHP):

Affected version(s) >=v2.0.2 <v2.1.1-rc1

Fix Suggestion:

Update to version v2.1.1-rc1

ezsystems/ezstudio-demo (PHP):

Affected version(s) >=dev-block-definitions <dev-fix-demo-builds

Fix Suggestion:

Update to version dev-fix-demo-builds

ezsystems/ezstudio (PHP):

Affected version(s) >=v2.0.1 <2.2.x-dev

Fix Suggestion:

Update to version 2.2.x-dev

ezsystems/ezplatform-demo (PHP):

Affected version(s) =v2.2.0 <v2.2.1-rc1

Fix Suggestion:

Update to version v2.2.1-rc1

netgen/media-site (PHP):

Affected version(s) >=1.0.1 <1.0.4

Fix Suggestion:

Update to version 1.0.4

ezsystems/ezplatform-ee-demo (PHP):

Affected version(s) >=dev-block-definitions <dev-fix-demo-builds

Fix Suggestion:

Update to version dev-fix-demo-builds

ezsystems/ezstudio (PHP):

Affected version(s) >=v1.7.8-rc2 <v1.7.8.1

Fix Suggestion:

Update to version v1.7.8.1

ezsystems/ezplatform-ee (PHP):

Affected version(s) =dev-block-definitions <dev-block_translation_example

Fix Suggestion:

Update to version dev-block_translation_example

ezsystems/ezplatform-ee (PHP):

Affected version(s) =2.0.x-dev <dev-enabled_oauth2

Fix Suggestion:

Update to version dev-enabled_oauth2

ezsystems/ezstudio-demo (PHP):

Affected version(s) >=v2.2.0 <v2.2.2-rc2

Fix Suggestion:

Update to version v2.2.2-rc2

ezsystems/ezplatform (PHP):

Affected version(s) >=v2.3.0-beta1 <v2.3.2.1

Fix Suggestion:

Update to version v2.3.2.1

ezsystems/ezplatform-ee (PHP):

Affected version(s) >=v2.0.1 <2.2.x-dev

Fix Suggestion:

Update to version 2.2.x-dev

ezsystems/ezstudio (PHP):

Affected version(s) =dev-block-definitions <dev-block_translation_example

Fix Suggestion:

Update to version dev-block_translation_example

ezsystems/ezstudio (PHP):

Affected version(s) >=v2.2.0 <v2.2.3.1

Fix Suggestion:

Update to version v2.2.3.1

ezsystems/ezplatform (PHP):

Affected version(s) >=v1.13.4-beta1 <v1.13.4.1

Fix Suggestion:

Update to version v1.13.4.1

ezsystems/ezstudio (PHP):

Affected version(s) =2.0.x-dev <dev-enabled_oauth2

Fix Suggestion:

Update to version dev-enabled_oauth2

ezsystems/ezstudio (PHP):

Affected version(s) >=v2.3.0-beta1 <2.3.x-dev

Fix Suggestion:

Update to version 2.3.x-dev

ezsystems/ezstudio-demo (PHP):

Affected version(s) =v2.2.2 <v2.2.3

Fix Suggestion:

Update to version v2.2.3

ezsystems/ezstudio-demo (PHP):

Affected version(s) >=dev-new-landing-pages <v1.0.0-alpha1

Fix Suggestion:

Update to version v1.0.0-alpha1

ezsystems/ezplatform-ee-demo (PHP):

Affected version(s) >=dev-DEMO-194-lp-embed-products <dev-DEMO-304-Fix-For-HTML-Decoding

Fix Suggestion:

Update to version dev-DEMO-304-Fix-For-HTML-Decoding

ezsystems/ezplatform-demo (PHP):

Affected version(s) =v2.1.1 <2.2.x-dev

Fix Suggestion:

Update to version 2.2.x-dev

ezsystems/ezstudio (PHP):

Affected version(s) =dev-ezee-2110 <dev-EZEE-2817_scheduled_blocks_in_calendar_view

Fix Suggestion:

Update to version dev-EZEE-2817_scheduled_blocks_in_calendar_view

ezsystems/ezplatform-ee (PHP):

Affected version(s) >=v1.13.4-rc2 <v1.13.4.1

Fix Suggestion:

Update to version v1.13.4.1

ezsystems/ezplatform-ee-demo (PHP):

Affected version(s) >=dev-new-landing-pages <v1.0.0-alpha1

Fix Suggestion:

Update to version v1.0.0-alpha1

ezsystems/ezplatform-ee (PHP):

Affected version(s) >=v2.3.0 <v2.3.2.1

Fix Suggestion:

Update to version v2.3.2.1

ezsystems/ezstudio (PHP):

Affected version(s) >=v1.13.4-rc2 <v1.13.4.1

Fix Suggestion:

Update to version v1.13.4.1

ezsystems/ezstudio-demo (PHP):

Affected version(s) >=dev-DEMO-194-lp-embed-products <dev-DEMO-304-Fix-For-HTML-Decoding

Fix Suggestion:

Update to version dev-DEMO-304-Fix-For-HTML-Decoding

ezsystems/ezplatform-ee (PHP):

Affected version(s) >=v1.7.8-rc2 <v1.7.8.1

Fix Suggestion:

Update to version v1.7.8.1

ezsystems/ezplatform-ee (PHP):

Affected version(s) >=v2.3.0-beta1 <2.3.x-dev

Fix Suggestion:

Update to version 2.3.x-dev

ezsystems/ezstudio-demo (PHP):

Affected version(s) =dev-ezee-2110 <dev-run-tests-on-ezp-31023

Fix Suggestion:

Update to version dev-run-tests-on-ezp-31023

ezsystems/ezplatform (PHP):

Affected version(s) =dev-ct_on_content_for_travis <dev-docker-varnish-fix-backport

Fix Suggestion:

Update to version dev-docker-varnish-fix-backport

ezsystems/ezplatform-ee (PHP):

Affected version(s) =dev-ezee-2110 <dev-EZEE-2817_scheduled_blocks_in_calendar_view

Fix Suggestion:

Update to version dev-EZEE-2817_scheduled_blocks_in_calendar_view

ezsystems/ezstudio-demo (PHP):

Affected version(s) >=dev-form-builder <dev-master

Fix Suggestion:

Update to version dev-master

ezsystems/ezplatform-ee-demo (PHP):

Affected version(s) =v2.2.2 <v2.2.3

Fix Suggestion:

Update to version v2.2.3

ezsystems/ezplatform-ee-demo (PHP):

Affected version(s) >=dev-form-builder <dev-master

Fix Suggestion:

Update to version dev-master

ezsystems/ezstudio (PHP):

Affected version(s) >=v2.3.0 <v2.3.2.1

Fix Suggestion:

Update to version v2.3.2.1

netgen/media-site (PHP):

Affected version(s) =1.0.0 <dev-NGSTACK-1_fix_broken_JS_in_cookie_ribbon

Fix Suggestion:

Update to version dev-NGSTACK-1_fix_broken_JS_in_cookie_ribbon

ezsystems/ezplatform-ee (PHP):

Affected version(s) >=v2.2.0 <v2.2.3.1

Fix Suggestion:

Update to version v2.2.3.1

ezsystems/ezplatform-demo (PHP):

Affected version(s) =2.0.x-dev <dev-2.0-hybrid-ui

Fix Suggestion:

Update to version dev-2.0-hybrid-ui

ezsystems/ezplatform-ee-demo (PHP):

Affected version(s) >=v2.2.0 <v2.2.2-rc2

Fix Suggestion:

Update to version v2.2.2-rc2

ezsystems/ezplatform-ee (PHP):

Affected version(s) =v1.13.4-beta1 <v1.13.4-rc1

Fix Suggestion:

Update to version v1.13.4-rc1

Related Resources (2)

https://github.com/ezsystems/ezplatform/commit/9a0c52dc4535e4b3ce379f80222dc53f705a2cfd

http://share.ez.no/community-project/security-advisories/ezsa-2018-009-do-not-interpret-php-phar-uploads

Do you need more information?

CVSS v4

Base Score:

9.3

Attack Vector

NETWORK

Attack Complexity

LOW

Attack Requirements

NONE

Privileges Required

NONE

User Interaction

NONE

Vulnerable System Confidentiality

HIGH

Vulnerable System Integrity

HIGH

Vulnerable System Availability

HIGH

Subsequent System Confidentiality

NONE

Subsequent System Integrity

NONE

Subsequent System Availability

NONE

CVSS v3

Base Score:

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH