The FIDO2/Webauthn Support for PHP library allows enumeration of valid usernames
The ProfileBasedRequestOptionsBuilder method returns allowedCredentials without any credentials if no username was found.
The ProfileBasedRequestOptionsBuilder method returns allowedCredentials without any credentials if no username was found.
Webauthn Framework has Incorrect Access Control. An attacker that controls a user's system is able to login to a vulnerable service using an attached FIDO2 authenticator without passing a check of the user presence.