Skip to content

/user/sessions endpoint allows detecting valid accounts

High severity GitHub Reviewed Published Mar 9, 2021 in ezsystems/ezpublish-kernel • Updated Jan 9, 2023

Package

composer ezsystems/ezpublish-kernel (Composer)

Affected versions

>= 6.13.0, <= 6.13.8.0
>= 7.5.0, <= 7.5.15.0

Patched versions

6.13.8.1
7.5.15.1

Description

This Security Advisory is about a vulnerability in eZ Platform v1.13, v2.5, and v3.2, and in Ibexa DXP and Ibexa Open Source v3.3. The /user/sessions endpoint can let an attacker detect if a given username or email refers to a valid account. This can be detected through differences in the response data or response time of certain requests. The fix ensures neither attack is possible. The fix is distributed via Composer.

If you come across a security issue in our products, here is how you can report it to us: https://doc.ibexa.co/en/latest/guide/reporting_issues/#toc

References

@glye glye published to ezsystems/ezpublish-kernel Mar 9, 2021
Reviewed Mar 11, 2021
Published to the GitHub Advisory Database Mar 11, 2021
Last updated Jan 9, 2023

Severity

High

Weaknesses

CVE ID

No known CVE

GHSA ID

GHSA-gmrf-99gw-vvwj

Source code

No known source code
Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.