Описание
Time-Based Information Disclosure Vulnerability in Flow
The PersistedUsernamePasswordProvider was prone to a information disclosure of account existance based on timing attacks as the hashing of passwords was only done in case an account was found. We changed the core so that the provider always does a password comparison in case credentials were submitted at all.
Пакеты
Наименование
neos/flow
composer
Затронутые версииВерсия исправления
>= 2.3.0, < 2.3.16
2.3.16
Наименование
neos/flow
composer
Затронутые версииВерсия исправления
>= 3.0.0, < 3.0.10
3.0.10
Наименование
neos/flow
composer
Затронутые версииВерсия исправления
>= 3.1.0, < 3.1.7
3.1.7
Наименование
neos/flow
composer
Затронутые версииВерсия исправления
>= 3.2.0, < 3.2.7
3.2.7
Наименование
neos/flow
composer
Затронутые версииВерсия исправления
>= 3.3.0, < 3.3.5
3.3.5
5.3 Medium
CVSS3
5.3 Medium
CVSS3