eZ Platform CSRF token in login form is disabled by default
High severity
GitHub Reviewed
Published
May 15, 2024
to the GitHub Advisory Database
•
Updated May 15, 2024
Description
Published to the GitHub Advisory Database
May 15, 2024
Reviewed
May 15, 2024
Last updated
May 15, 2024
his security advisory fixes a potential vulnerability in the eZ Platform log in form. That form has a Cross-Site Request Forgery (CSRF) token, but the CSRF functionality is not enabled by default, meaning the token is inactive. The fix is distributed via Composer as ezsystems/ezplatform v2.5.4, and in v3.0.0 when that will be released.
If you'd like to manually enable it in your configuration, this is done by editing your app/config/security.yml and setting the "csrf_token_generator" key to "security.csrf.token_manager", like this:
NB: In eZ Platform 3.0 this file has been moved to config/packages/security.yaml
References