CVE-2017-5537

MEDIUM

Weblate < 2.10.1 - User Enumeration via Password Reset Error Messages

Title source: llm

Description

The password reset form in Weblate before 2.10.1 provides different error messages depending on whether the email address is associated with an account, which allows remote attackers to enumerate user accounts via a series of requests.

References (6)

Core 6

Core References

Patch x_refsource_confirm

https://github.com/WeblateOrg/weblate/commit/abe0d2a29a1d8e896bfe829c8461bf8b391f1079

View Patch ZIP pw:eip

Mailing List, Patch mailing-list x_refsource_mlist

http://www.openwall.com/lists/oss-security/2017/01/18/11

Issue Tracking, Patch x_refsource_confirm

https://github.com/WeblateOrg/weblate/issues/1317

Mailing List, Patch mailing-list x_refsource_mlist

http://www.openwall.com/lists/oss-security/2017/01/20/1

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/95676

Patch, Release Notes x_refsource_confirm

https://github.com/WeblateOrg/weblate/blob/weblate-2.10.1/docs/changes.rst

View Patch ZIP pw:eip

Scores

CVSS v3 5.3

EPSS 0.0229

EPSS Percentile 80.9%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Details

CWE

CWE-200

Status published

Products (2)

pypi/weblate 0 - 2.10.1PyPI

weblate/weblate < 2.10

Published Mar 15, 2017

Tracked Since Feb 18, 2026