GHSA-89p3-9j8c-fqh4
Suggest an improvement- Source
- https://github.com/advisories/GHSA-89p3-9j8c-fqh4
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/03/GHSA-89p3-9j8c-fqh4/GHSA-89p3-9j8c-fqh4.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-89p3-9j8c-fqh4
- Aliases
-
- CVE-2021-46876
- Published
- 2023-03-12T06:30:21Z
- Modified
- 2024-11-30T05:48:42.814057Z
- Severity
-
- 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
- Summary
- User account enumeration in eZ Publish Ibexa Kernel
- Details
-
This Security Advisory is about a vulnerability in eZ Platform v1.13, v2.5, and v3.2, and in Ibexa DXP and Ibexa Open Source v3.3. The /user/sessions endpoint can let an attacker detect if a given username or email refers to a valid account. This can be detected through differences in the response data or response time of certain requests. The fix ensures neither attack is possible. The fix is distributed via Composer.
- Database specific
{ "nvd_published_at": "2023-03-12T05:15:00Z", "cwe_ids": [], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2023-03-13T20:58:01Z" }- References
Affected packages
Packagist / ezsystems/ezpublish-kernel
Package
- Name
- ezsystems/ezpublish-kernel
- Purl
- pkg:composer/ezsystems/ezpublish-kernel
Affected versions
v6.*
v6.13.0
v6.13.0.1
v6.13.1-rc1
v6.13.1
v6.13.1.1
v6.13.1.2
v6.13.2-beta1
v6.13.2-rc1
v6.13.2
v6.13.3-beta1
v6.13.3-rc1
v6.13.3
v6.13.4-beta1
v6.13.4-rc1
v6.13.4
v6.13.5
v6.13.5.1
v6.13.6-rc1
v6.13.6
v6.13.6.2
v6.13.6.3
v6.13.6.4
v6.13.6.5
v6.13.6.6
v6.13.7-beta1+EZP-30823.preview
v6.13.7-beta2
v6.13.8-rc1
v6.13.8
Packagist / ezsystems/ezpublish-kernel
Package
- Name
- ezsystems/ezpublish-kernel
- Purl
- pkg:composer/ezsystems/ezpublish-kernel