Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1qMjRnLWdtNzYtajgyOc4AAb1V

Weblate user account enumeration via reset password form

The password reset form in Weblate before 2.10.1 provides different error messages depending on whether the email address is associated with an account, which allows remote attackers to enumerate user accounts via a series of requests.

Permalink: https://github.com/advisories/GHSA-j24g-gm76-j829
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1qMjRnLWdtNzYtajgyOc4AAb1V
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 2 years ago
Updated: 9 months ago

CVSS Score: 5.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Identifiers: GHSA-j24g-gm76-j829, CVE-2017-5537
References:

Repository: https://github.com/WeblateOrg/weblate
Blast Radius: 1.6

Affected Packages

pypi:weblate

Dependent packages: 0
Dependent repositories: 2
Downloads: 3,896 last month
Affected Version Ranges: < 2.10.1
Fixed in: 2.10.1
All affected versions:
All unaffected versions: 2.10.1, 2.13.1, 2.14.1, 2.17.1, 2.19.1, 3.0.1, 3.1.1, 3.2.1, 3.2.2, 3.5.1, 3.6.1, 3.7.1, 3.9.1, 3.10.1, 3.10.2, 3.10.3, 3.11.1, 3.11.2, 3.11.3, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.1.1, 4.2.1, 4.2.2, 4.3.1, 4.3.2, 4.4.1, 4.4.2, 4.5.1, 4.5.2, 4.5.3, 4.6.1, 4.6.2, 4.7.1, 4.7.2, 4.8.1, 4.9.1, 4.10.1, 4.11.1, 4.11.2, 4.12.1, 4.12.2, 4.13.1, 4.14.1, 4.14.2, 4.15.1, 4.15.2, 4.16.1, 4.16.2, 4.16.3, 4.16.4, 4.18.1, 4.18.2, 5.0.1, 5.0.2, 5.1.1, 5.2.1, 5.3.1, 5.4.1, 5.4.2, 5.4.3, 5.5.2, 5.5.3