GHSA-HFPP-2VHW-QQ43
Vulnerability from github – Published: 2024-05-15 21:14 – Updated: 2024-05-15 21:14his Security Update fixes a severe vulnerability in the eZ Platform Admin UI, and we recommend that you install it as soon as possible. It affects eZ Platform 2.x.
The functionality for resetting a forgotten password is vulnerable to brute force attack. Depending on configuration and other circumstances an attacker may exploit this to gain control over user accounts. The update ensures such an attack is exceedingly unlikely to succeed.
You may want to consider a configuration change to further strengthen your security. By default a password reset request is valid for 1 hour. Reducing this time will make attacks even more difficult, but ensure there is enough time left to account for email delivery delays, and user delays. See documentation at https://doc.ezplatform.com/en/latest/guide/user_management/#changing-and-recovering-passwords
To install, use Composer to update to one of the "Resolving versions" mentioned above. If you use eZ Platform 2.5, update ezsystems/ezplatform-user to v1.0.1. If you use eZ Platform 2.4, update ezsystems/ezplatform-admin-ui to v1.4.6, and ezsystems/ezplatform-admin-ui-modules to v1.4.4, and ezsystems/repository-forms to v2.4.5)
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "ezsystems/ezplatform-user"
},
"ranges": [
{
"events": [
{
"introduced": "1.0.0"
},
{
"fixed": "1.0.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": true,
"github_reviewed_at": "2024-05-15T21:14:48Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "his Security Update fixes a severe vulnerability in the eZ Platform Admin UI, and we recommend that you install it as soon as possible. It affects eZ Platform 2.x.\n \nThe functionality for resetting a forgotten password is vulnerable to brute force attack. Depending on configuration and other circumstances an attacker may exploit this to gain control over user accounts. The update ensures such an attack is exceedingly unlikely to succeed.\n \nYou may want to consider a configuration change to further strengthen your security. By default a password reset request is valid for 1 hour. Reducing this time will make attacks even more difficult, but ensure there is enough time left to account for email delivery delays, and user delays. See documentation at https://doc.ezplatform.com/en/latest/guide/user_management/#changing-and-recovering-passwords\n\nTo install, use Composer to update to one of the \"Resolving versions\" mentioned above. If you use eZ Platform 2.5, update ezsystems/ezplatform-user to v1.0.1. If you use eZ Platform 2.4, update ezsystems/ezplatform-admin-ui to v1.4.6, and ezsystems/ezplatform-admin-ui-modules to v1.4.4, and ezsystems/repository-forms to v2.4.5)",
"id": "GHSA-hfpp-2vhw-qq43",
"modified": "2024-05-15T21:14:48Z",
"published": "2024-05-15T21:14:48Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/ezsystems/ezplatform-user/2019-04-03-1.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/ezsystems/ezplatform-user"
},
{
"type": "WEB",
"url": "https://web.archive.org/web/20201025103933/https://share.ez.no/community-project/security-advisories/ezsa-2019-002-password-reset-vulnerability"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "eZ Platform Admin UI Password reset vulnerability"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.