Опубликовано: 17 мая 2022
Источник: github
Github: Прошло ревью
CVSS4: 6.9
CVSS3: 5.3
Описание
Weblate user account enumeration via reset password form
The password reset form in Weblate before 2.10.1 provides different error messages depending on whether the email address is associated with an account, which allows remote attackers to enumerate user accounts via a series of requests.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2017-5537
- https://github.com/WeblateOrg/weblate/issues/1317
- https://github.com/WeblateOrg/weblate/commit/abe0d2a29a1d8e896bfe829c8461bf8b391f1079
- https://github.com/WeblateOrg/weblate/blob/weblate-2.10.1/docs/changes.rst
- https://github.com/pypa/advisory-database/tree/main/vulns/weblate/PYSEC-2017-42.yaml
- http://www.openwall.com/lists/oss-security/2017/01/18/11
- http://www.openwall.com/lists/oss-security/2017/01/20/1
- http://www.securityfocus.com/bid/95676
Пакеты
Наименование
weblate
pip
Затронутые версииВерсия исправления
< 2.10.1
2.10.1
EPSS
Процентиль: 67%
0.00543
Низкий
6.9 Medium
CVSS4
5.3 Medium
CVSS3
CVE ID
Дефекты
CWE-200
CWE-209
Связанные уязвимости
CVSS3: 5.3
nvd
почти 9 лет назад
The password reset form in Weblate before 2.10.1 provides different error messages depending on whether the email address is associated with an account, which allows remote attackers to enumerate user accounts via a series of requests.
CVSS3: 5.3
debian
почти 9 лет назад
The password reset form in Weblate before 2.10.1 provides different er ...
EPSS
Процентиль: 67%
0.00543
Низкий
6.9 Medium
CVSS4
5.3 Medium
CVSS3
CVE ID
Дефекты
CWE-200
CWE-209