Name of the Vulnerable Software and Affected Versions eZ Platform versions 2.x

Description The issue affects the password reset functionality in the eZ Platform Admin UI, making it vulnerable to brute force attacks. Depending on the configuration, an attacker may exploit this to gain control over user accounts. The estimated number of potentially affected devices is not provided. There is no information about real-world incidents where this issue was exploited.

Recommendations For eZ Platform 2.5, update ezsystems/ezplatform-user to v1.0.1. For eZ Platform 2.4, update ezsystems/ezplatform-admin-ui to v1.4.6, ezsystems/ezplatform-admin-ui-modules to v1.4.4, and ezsystems/repository-forms to v2.4.5. As a temporary workaround, consider reducing the password reset request validity time to make attacks more difficult, ensuring enough time is left for email delivery delays and user delays.