Ibexa eZ Platform /user/sessions endpoint can be abused to determine account existence

Go back

severity: high
date: March 12, 2023
Affecting: ezpublish-kernel versions 6.13.0 through 16.13.8.0 and 7.5.0 through 7.5.15.0
CVE: CVE-2021-46876
CVE type: Observable Discrepancy
CVSS: 3.7
CVSS V3 Vector: AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
References: GHSA-gmrf-99gw-vvwj
fix commit