Observable Discrepancy
CVE-2021-46876
Summary
An issue was discovered in ezpublish-kernel 6.13.0 through 6.13.8 and 7.5.0-rc1 through 7.5.15 and ezplatform-rest 1.2.0-beta1 through 1.2.2 and 1.3.0-beta1 through 1.3.1. The "/user/sessions" endpoint can be abused to determine account existence.
- LOW
- NETWORK
- NONE
- UNCHANGED
- NONE
- NONE
- LOW
- NONE
CWE-203 - Observable Discrepancy
The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not.
Advisory Timeline
- Published