The password reset form in Weblate before 2.10.1 provides different error messages depending on whether the email address is associated with an account, which allows remote attackers to enumerate user accounts via a series of requests.
References
Link | Resource |
---|---|
http://www.openwall.com/lists/oss-security/2017/01/18/11 | Mailing List Patch |
http://www.openwall.com/lists/oss-security/2017/01/20/1 | Mailing List Patch |
http://www.securityfocus.com/bid/95676 | Third Party Advisory VDB Entry |
https://github.com/WeblateOrg/weblate/blob/weblate-2.10.1/docs/changes.rst | Patch Release Notes |
https://github.com/WeblateOrg/weblate/commit/abe0d2a29a1d8e896bfe829c8461bf8b391f1079 | Patch |
https://github.com/WeblateOrg/weblate/issues/1317 | Issue Tracking Patch |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: mitre
Published: 2017-03-15T15:00:00
Updated: 2017-03-15T14:57:01
Reserved: 2017-01-19T00:00:00
Link: CVE-2017-5537
JSON object: View
NVD Information
Status : Analyzed
Published: 2017-03-15T15:59:00.750
Modified: 2017-03-21T18:56:38.913
Link: CVE-2017-5537
JSON object: View
Redhat Information
No data.
CWE