Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTd2d2ctMzloOC04cXA4

High
Permalink JSON

/user/sessions endpoint allows detecting valid accounts

Affected Packages Affected Versions Fixed Versions
packagist:ezsystems/ezplatform-rest >= 1.3.0, <= 1.3.1.0, >= 1.2.0, <= 1.2.2.0 1.3.1.1, 1.2.2.1
33 Dependent packages
36 Dependent repositories
428,168 Downloads total

Affected Version Ranges

All affected versions

v1.2.0, v1.2.0-beta1, v1.2.0-rc1, v1.2.1, v1.2.2, v1.2.3, v1.2.4, v1.2.5, v1.3.0, v1.3.0-beta1, v1.3.0-rc1, v1.3.0-rc2, v1.3.1, v1.3.2, v1.3.3, v1.3.4, v1.3.5, v1.3.6, v1.3.7, v1.3.8, v1.3.9, v1.3.10, v1.3.11, v1.3.12, v1.3.13, v1.3.14, v1.3.15, v1.3.16, v1.3.17, v1.3.18, v1.3.19, v1.3.20, v1.3.21, v1.3.22, v1.3.23, v1.3.24, v4.0.0-alpha1, v4.0.0-alpha2

All unaffected versions

v1.0.0, v1.0.1, v1.0.2, v1.1.0, v1.1.1, v1.1.2

This Security Advisory is about a vulnerability in eZ Platform v1.13, v2.5, and v3.2, and in Ibexa DXP and Ibexa Open Source v3.3. The /user/sessions endpoint can let an attacker detect if a given username or email refers to a valid account. This can be detected through differences in the response data or response time of certain requests. The fix ensures neither attack is possible. The fix is distributed via Composer.

If you come across a security issue in our products, here is how you can report it to us: https://doc.ibexa.co/en/latest/guide/reporting_issues/#toc

References:

Identifiers

GHSA-7vwg-39h8-8qp8

Risk

Severity

High

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/ezsystems/ezplatform-rest

Date and time

Published

over 4 years ago

Updated

almost 3 years ago

API

JSON