Security advisory: IBEXA-SA-2021-002

/user/sessions endpoint allows detecting valid accounts
Publication date:
09.03.21, 16:20


Affected versions: ezpublish-kernel v6.13.*, v7.5.*, and ezplatform-rest v1.2.*, v1.3.*
Resolving versions: ezpublish-kernel v6.13.8.1, v7.5.15.1, and ezplatform-rest v1.2.2.1, v1.3.1.1

This Security Advisory is about a vulnerability in eZ Platform v1.13, v2.5, and v3.2, and in Ibexa DXP and Ibexa Open Source v3.3. The /user/sessions endpoint can let an attacker detect if a given username or email refers to a valid account. This can be detected through differences in the response data or response time of certain requests. The fix ensures neither attack is possible. The fix is distributed via Composer, see resolving versions above.

If you come across a security issue in our products, here is how you can report it to us:

Have you found a security bug in Ibexa DXP? See how to report it responsibly here:

All security advisories