GHSA-36mj-6r7r-mqhf – ezsystems/ezplatform-rest

Package

Manager: composer
Name: ezsystems/ezplatform-rest
Vulnerable Version: >=1.3.0 <1.3.8

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

User can obtain JWT token even if account is disabled Users can authenticate this way even if their user account is disabled. This is a high risk vulnerability when account disabling is used to block users' access to the system. (Someone who never had an account cannot exploit this vulnerability.) The fix ensures tokens are generated only for enabled user accounts, and is distributed via Composer as ezsystems/ezplatform-rest v1.3.8

Metadata

Created: 2021-09-29T17:09:23Z
Modified: 2021-09-28T21:21:08Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/09/GHSA-36mj-6r7r-mqhf/GHSA-36mj-6r7r-mqhf.json
CWE IDs: ["CWE-284"]
Alternative ID: N/A
Finding: F039
Auto approve: 1