GHSA-45qm-j4m9-whv9
Suggest an improvement- Source
- https://github.com/advisories/GHSA-45qm-j4m9-whv9
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-45qm-j4m9-whv9/GHSA-45qm-j4m9-whv9.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-45qm-j4m9-whv9
- Published
- 2024-05-15T21:15:21Z
- Modified
- 2024-11-29T05:31:32.475184Z
- Summary
- eZ Platform CSRF token in login form is disabled by default
- Details
-
his security advisory fixes a potential vulnerability in the eZ Platform log in form. That form has a Cross-Site Request Forgery (CSRF) token, but the CSRF functionality is not enabled by default, meaning the token is inactive. The fix is distributed via Composer as ezsystems/ezplatform v2.5.4, and in v3.0.0 when that will be released.
If you'd like to manually enable it in your configuration, this is done by editing your app/config/security.yml and setting the "csrftokengenerator" key to "security.csrf.token_manager", like this:
security: firewalls: ezpublish_front: form_login: csrf_token_generator: security.csrf.token_managerNB: In eZ Platform 3.0 this file has been moved to config/packages/security.yaml
- Database specific
{ "nvd_published_at": null, "cwe_ids": [ "CWE-352" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2024-05-15T21:15:21Z" }- References
-
- https://github.com/FriendsOfPHP/security-advisories/blob/master/ezsystems/ezplatform/2019-06-27-1.yaml
- https://github.com/ezsystems/ezplatform
- https://share.ez.no/community-project/security-advisories/ezsa-2019-004-csrf-token-in-login-form-is-disabled-by-default
- https://web.archive.org/web/20210614185223/https://share.ez.no/community-project/security-advisories/ezsa-2019-004-csrf-token-in-login-form-is-disabled-by-default
Affected packages
Packagist / ezsystems/ezplatform
Package
- Name
- ezsystems/ezplatform
- Purl
- pkg:composer/ezsystems/ezplatform