Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS00NXFtLWo0bTktd2h2Oc4AA8Hm

eZ Platform CSRF token in login form is disabled by default

his security advisory fixes a potential vulnerability in the eZ Platform log in form. That form has a Cross-Site Request Forgery (CSRF) token, but the CSRF functionality is not enabled by default, meaning the token is inactive. The fix is distributed via Composer as ezsystems/ezplatform v2.5.4, and in v3.0.0 when that will be released.

If you'd like to manually enable it in your configuration, this is done by editing your app/config/security.yml and setting the "csrf_token_generator" key to "security.csrf.token_manager", like this:

security:
    firewalls:
        ezpublish_front:
            form_login:
                csrf_token_generator: security.csrf.token_manager

NB: In eZ Platform 3.0 this file has been moved to config/packages/security.yaml

Permalink: https://github.com/advisories/GHSA-45qm-j4m9-whv9
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS00NXFtLWo0bTktd2h2Oc4AA8Hm
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 7 months ago
Updated: 7 months ago

Identifiers: GHSA-45qm-j4m9-whv9
References:

• https://github.com/FriendsOfPHP/security-advisories/blob/master/ezsystems/ezplatform/2019-06-27-1.yaml
• https://share.ez.no/community-project/security-advisories/ezsa-2019-004-csrf-token-in-login-form-is-disabled-by-default
• https://web.archive.org/web/20210614185223/https://share.ez.no/community-project/security-advisories/ezsa-2019-004-csrf-token-in-login-form-is-disabled-by-default
• https://github.com/advisories/GHSA-45qm-j4m9-whv9

Blast Radius: 0.0

Affected Packages