This site has been archived and you can no longer log in or post new messages. For up-to-date community resources please visit ezplatform.com

eZ Community » Security Advisories » EZSA-2019-002: Password reset...

EZSA-2019-002: Password reset vulnerability

Publication date : 03/04/2019
Severity : High
Affected versions : eZ Platform 2.x, specifically ezsystems/ezplatform-user v1.0.0, and ezsystems/ezplatform-admin-ui v1.4.x
Resolving versions : ezsystems/ezplatform-user v1.0.1 or ezsystems/ezplatform-admin-ui v1.4.6 (including ezsystems/ezplatform-admin-ui-modules v1.4.4 and ezsystems/repository-forms v2.4.5)

This Security Update fixes a severe vulnerability in the eZ Platform Admin UI, and we recommend that you install it as soon as possible. It affects eZ Platform 2.x.
 
The functionality for resetting a forgotten password is vulnerable to brute force attack. Depending on configuration and other circumstances an attacker may exploit this to gain control over user accounts. The update ensures such an attack is exceedingly unlikely to succeed.
 
You may want to consider a configuration change to further strengthen your security. By default a password reset request is valid for 1 hour. Reducing this time will make attacks even more difficult, but ensure there is enough time left to account for email delivery delays, and user delays. See documentation at https://doc.ezplatform.com/en/latest/guide/user_management/#changing-and-recovering-passwords

To install, use Composer to update to one of the "Resolving versions" mentioned above. If you use eZ Platform 2.5, update ezsystems/ezplatform-user to v1.0.1. If you use eZ Platform 2.4, update ezsystems/ezplatform-admin-ui to v1.4.6, and ezsystems/ezplatform-admin-ui-modules to v1.4.4, and ezsystems/repository-forms to v2.4.5)

If you come across a security issue in our products, here is how you can report it to us: https://doc.ez.no/Security

36 542 Users on board!

Community Project menu

Proudly Developed with from