Security fix for Flow released (2.3.16, 3.0.10, 3.1.7, 3.2.7, 3.3.5)

The new releases of Flow fix a security issue. Users should update to the latest versions.

Details can be found at

The PersistedUsernamePasswordProvider was prone to a information disclosure of account existence based on timing attacks as the hashing of passwords was only done in case an account was found. We changed the core so that the provider always does a password comparison in case credentials were submitted at all.


Thanks to Daniel Siepmann and Kevin Fischer who discovered the issues and to the Neos team for fixing and reviewing the fixes.