Описание
User can obtain JWT token even if account is disabled
Users can authenticate this way even if their user account is disabled. This is a high risk vulnerability when account disabling is used to block users' access to the system. (Someone who never had an account cannot exploit this vulnerability.) The fix ensures tokens are generated only for enabled user accounts, and is distributed via Composer as ezsystems/ezplatform-rest v1.3.8
Пакеты
Наименование
ezsystems/ezplatform-rest
composer
Затронутые версииВерсия исправления
>= 1.3.0, < 1.3.8
1.3.8
Дефекты
CWE-284
Дефекты
CWE-284