Advisories for Composer/Web-Auth/Webauthn-Framework package

2024

The FIDO2/Webauthn Support for PHP library allows enumeration of valid usernames

The ProfileBasedRequestOptionsBuilder method returns allowedCredentials without any credentials if no username was found.

2021

Incorrect Authorization

Webauthn Framework has Incorrect Access Control. An attacker that controls a user's system is able to login to a vulnerable service using an attached FIDO2 authenticator without passing a check of the user presence.