Headline
GHSA-45qm-j4m9-whv9: eZ Platform CSRF token in login form is disabled by default
his security advisory fixes a potential vulnerability in the eZ Platform log in form. That form has a Cross-Site Request Forgery (CSRF) token, but the CSRF functionality is not enabled by default, meaning the token is inactive. The fix is distributed via Composer as ezsystems/ezplatform v2.5.4, and in v3.0.0 when that will be released.
If you’d like to manually enable it in your configuration, this is done by editing your app/config/security.yml and setting the “csrf_token_generator” key to "security.csrf.token_manager", like this:
security:
firewalls:
ezpublish_front:
form_login:
csrf_token_generator: security.csrf.token_manager
NB: In eZ Platform 3.0 this file has been moved to config/packages/security.yaml
Skip to content
Navigation Menu
Actions
Automate any workflow
Packages
Host and manage packages
Security
Find and fix vulnerabilities
Codespaces
Instant dev environments
Copilot
Write better code with AI
Code review
Manage code changes
Issues
Plan and track work
Discussions
Collaborate outside of code
GitHub Sponsors
Fund open source developers
* The ReadME Project
GitHub community articles
- Pricing
Provide feedback
Saved searches****Use saved searches to filter your results more quickly
Sign up
- GitHub Advisory Database
- GitHub Reviewed
- GHSA-45qm-j4m9-whv9
eZ Platform CSRF token in login form is disabled by default
High severity GitHub Reviewed Published May 15, 2024 to the GitHub Advisory Database • Updated May 15, 2024
Package
composer ezsystems/ezplatform (Composer)
Affected versions
>= 2.5.0, < 2.5.4
Description
Published to the GitHub Advisory Database
May 15, 2024
Last updated
May 15, 2024