eZ Platform Object Injection in SiteAccessMatchListener

This Security Advisory is about an object injection vulnerability in the SiteAccessMatchListener of eZ Platform, which could lead to remote code execution RCE, a very serious threat. All sites may be affected. Update: There are bugs introduced by this fix, particularly but not limited to compound...

Login timing attack in ezsystems/ezplatform-kernel

Ibexa DXP is using random execution time to hinder timing attacks against user accounts, a method of discovering whether a given account exists in a system without knowing its password, thus affecting privacy. This implementation was found to not be good enough in some situations. The fix replace...