CVE-2017-5537
Summary
| CVE | CVE-2017-5537 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2017-03-15 15:59:00 UTC |
| Updated | 2017-03-21 18:56:00 UTC |
| Description | The password reset form in Weblate before 2.10.1 provides different error messages depending on whether the email address is associated with an account, which allows remote attackers to enumerate user accounts via a series of requests. |
Risk And Classification
Problem Types: CWE-200
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| oss-security - Re: CVE request Weblate: information disclosure in password reset form | MLIST | www.openwall.com | Mailing List, Patch |
| Weblate CVE-2017-5537 Information Disclosure Vulnerability | BID | www.securityfocus.com | Third Party Advisory, VDB Entry |
| weblate/changes.rst at weblate-2.10.1 · WeblateOrg/weblate · GitHub | CONFIRM | github.com | Patch, Release Notes |
| Do not show validation error on password reset · WeblateOrg/weblate@abe0d2a · GitHub | CONFIRM | github.com | Patch |
| The existence of a weblate account is guessable (CVE-2017-5537) · Issue #1317 · WeblateOrg/weblate · GitHub | CONFIRM | github.com | Issue Tracking, Patch |
| oss-security - CVE request Weblate: information disclosure in password reset form | MLIST | www.openwall.com | Mailing List, Patch |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.