CVE-2021-46876

Name of the Vulnerable Software and Affected Versions eZ Publish Ibexa Kernel versions prior to 7.5.15.1 eZ Platform versions 1.13, 2.5, and 3.2 Ibexa DXP and Ibexa Open Source version 3.3

Description An issue was discovered that allows the "/user/sessions" endpoint to be abused, enabling an attacker to determine if a given account exists. This can be achieved by analyzing differences in response data or response time from certain requests.

Recommendations For eZ Publish Ibexa Kernel versions prior to 7.5.15.1, update to version 7.5.15.1 or later. For eZ Platform versions 1.13, 2.5, and 3.2, update using Composer to receive the fix. For Ibexa DXP and Ibexa Open Source version 3.3, update using Composer to receive the fix. As a temporary workaround, consider restricting access to the "/user/sessions" endpoint to minimize the risk of exploitation.