EZSA-2019-004: CSRF token in login form is disabled by default

Publication date:
27/06/2019 12:00

Severity:
High

Affected versions: eZ Platform 2.x and 3.0
Resolving versions: eZ Platform v2.5.4 and v3.0.0

This security advisory fixes a potential vulnerability in the eZ Platform log in form. That form has a Cross-Site Request Forgery (CSRF) token, but the CSRF functionality is not enabled by default, meaning the token is inactive. The fix is distributed via Composer as ezsystems/ezplatform v2.5.4, and in v3.0.0 when that will be released.

If you'd like to manually enable it in your configuration, this is done by editing your app/config/security.yml and setting the "csrf_token_generator" key to "security.csrf.token_manager", like this:

security:
    firewalls:
        ezpublish_front:
            form_login:
                csrf_token_generator: security.csrf.token_manager

NB: In eZ Platform 3.0 this file has been moved to config/packages/security.yaml


Have you found a security bug in eZ Publish or eZ Platform? See how to report it responsibly here: https://doc.ezplatform.com/en/latest/guide/reporting_issues/

All security advisories