CVE-2021-46876 — Observable Discrepancy in EZ Platform Kernel

Severity

5.3MEDIUMNVD

EPSS

0.2%

top 53.18%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Timeline

PublishedMar 12

Description

An issue was discovered in eZ Publish Ibexa Kernel before 7.5.15.1. The /user/sessions endpoint can be abused to determine account existence.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

▶NVDibexa/ez_platform_kernel6.13.0 — 6.13.8.1+1

▶Packagistezsystems/ezpublish-kernel6.13.0 — 6.13.8.1+1

OSV

Duplicate Advisory: User account enumeration in eZ Publish Ibexa Kernel↗2023-03-12

▶

OSV

/user/sessions endpoint allows detecting valid accounts↗2021-03-11

▶

GHSA

/user/sessions endpoint allows detecting valid accounts↗2021-03-11

▶