MEDIUM 5.3 PyPI
Weblate user account enumeration via reset password form
GHSA-j24g-gm76-j829 · CVE-2017-5537 · PYSEC-2017-42
Published · Modified
Description
The password reset form in Weblate before 2.10.1 provides different error messages depending on whether the email address is associated with an account, which allows remote attackers to enumerate user accounts via a series of requests.
References
- ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2017-5537
- WEB https://github.com/WeblateOrg/weblate/issues/1317
- WEB https://github.com/WeblateOrg/weblate/commit/abe0d2a29a1d8e896bfe829c8461bf8b391f1079
- PACKAGE https://github.com/WeblateOrg/weblate
- WEB https://github.com/WeblateOrg/weblate/blob/weblate-2.10.1/docs/changes.rst
- WEB https://github.com/pypa/advisory-database/tree/main/vulns/weblate/PYSEC-2017-42.yaml
- WEB http://www.openwall.com/lists/oss-security/2017/01/18/11
- WEB http://www.openwall.com/lists/oss-security/2017/01/20/1
- WEB http://www.securityfocus.com/bid/95676
Ready to move
Start Securing
Free, no credit card | First findings in minutes