php · shopware/platformHeads-up
shopware/platform OAuth user repository timing attack vulnerability
A timing attack vulnerability in the OAuth user repository allows enumeration of administrator usernames.
What changed
A timing attack vulnerability in the OAuth user repository allows enumeration of administrator usernames.
Who it affects
All Shopware installations using the default login (not SSO-only).
What to do today
Apply the fix by adding a dummy password_verify call before the early return for non-existing users.
The trail
Collected→
Audited→
Written→
Published