CVE-2017-5537

MEDIUM

Weblate < 2.10 - Information Disclosure

Title source: rule

Description

The password reset form in Weblate before 2.10.1 provides different error messages depending on whether the email address is associated with an account, which allows remote attackers to enumerate user accounts via a series of requests.

References (6)

[Mailing List, Patch] http://www.openwall.com/lists/oss-security/2017/01/18/11

[Mailing List, Patch] http://www.openwall.com/lists/oss-security/2017/01/20/1

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/95676

[Patch, Release Notes] https://github.com/WeblateOrg/weblate/blob/weblate-2.10.1/docs/changes.rst

View Patch ZIP pw:eip

[Patch] https://github.com/WeblateOrg/weblate/commit/abe0d2a29a1d8e896bfe829c8461bf8b391f1079

[Issue Tracking, Patch] https://github.com/WeblateOrg/weblate/issues/1317

Scores

CVSS v3 5.3

EPSS 0.0054

EPSS Percentile 67.4%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Classification

CWE

CWE-200

Status published

Affected Products (3)

weblate/weblate < 2.10

pypi/weblate < 2.10.1PyPI

n/a/n/a

Timeline

Published Mar 15, 2017

Tracked Since Feb 18, 2026