What is the problem?

This is a real rarity a eZ security issue. There was a issue found in eZ Publish versions 3.8/3.9. This affected site are ones that use

• Discount in eZ Shop
• some advanced changes to the eZ Publish shop .

Will this affect me?

If you have an active eZ Network account then no. This was patched on Monday so you are safe.

If you do not have eZ Network and you use the eZ Shop then you might be at right and should get a check or just upgrade.

Please contact us if you need help.

What eZ say

The eZ Publish 3.9.3 and 3.8.9 releases fix a security issue of high severity. These releases also fix several reported bugs.
Insufficient permission checking on views without a policy function defined Insufficient permission checking was done on module views that do not have a policy function defined. This could cause problems in modules where views with a policy function were mixed with views without a policy function. This flaw made the discount functionality in the shop module vulnerable. Sites where users have explicit permission to policies in the setup module could also be vulnerable.
All users using the discount functionality in the shop module or that have defined roles with explicit policies in the setup module are encourage to upgrade to the corresponding release. Also, users with sites containing views with and without policy functions in the same custom module are encouraged to upgrade to the corresponding release or to update their custom code so that every view has a policy function defined.

Information on how to define policy functions in views in custom code is described here:

http://ez.no/doc/ez_publish/technical_manual/3_9/features/policy_functions

See the changelogs for a complete list of fixed bugs:

http://ez.no/download/ez_publish/changelogs/ez_publish_3_9/changelog_3_9_2_to_3_9_3
http://ez.no/download/ez_publish/changelogs/ez_publish_3_8/changelog_3_8_8_to_3_8_9

The releases are available for download from our eZ Publish download page.

http://ez.no/download/ez_publish