User can obtain JWT token even if account is disabled

Users can authenticate this way even if their user account is disabled. This is a high risk vulnerability when account disabling is used to block users' access to the system. (Someone who never had an account cannot exploit this vulnerability.) The fix ensures tokens are generated only for enabled user accounts, and is distributed via Composer as ezsystems/ezplatform-rest v1.3.8

References

glye published to ezsystems/ezplatform-rest Sep 28, 2021

Reviewed Sep 28, 2021

Published to the GitHub Advisory Database Sep 29, 2021

Last updated Jan 9, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Package

Affected versions

Patched versions

Description

References

Severity

Weaknesses

CVE ID

GHSA ID

Source code