The authentication method in Laravel 8.x up to and including 9.x prior to 9.32.0 exists to be vulnerable to user enumeration via timeless timing attacks with HTTP/2 multiplexing. This is caused by the early return inside the hasValidCredentials method in the Illuminate\Auth\SessionGuard class when a user is found to not exist.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
laravel framework |