CVE-2017-5537

Published: Mar 15, 2017Modified: May 13, 2026

5.3

Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Exploitability: 3.9 / Impact: 1.4

Source: NVD

Description

The password reset form in Weblate before 2.10.1 provides different error messages depending on whether the email address is associated with an account, which allows remote attackers to enumerate user accounts via a series of requests.

Affected (1)

Products: Weblate: Weblate

Weblate

1 product

Weblate

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Weblate Weblate	Up to 2.10

Related CWEs

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

References (12)

http://www.openwall.com/lists/oss-security/2017/01/18/11

Source: cve@mitre.org

Mailing ListPatch

http://www.openwall.com/lists/oss-security/2017/01/20/1

Source: cve@mitre.org

Mailing ListPatch

http://www.securityfocus.com/bid/95676

Source: cve@mitre.org

Third Party AdvisoryVDB Entry

https://github.com/WeblateOrg/weblate/blob/weblate-2.10.1/docs/changes.rst

Source: cve@mitre.org

PatchRelease Notes

https://github.com/WeblateOrg/weblate/commit/abe0d2a29a1d8e896bfe829c8461bf8b391f1079

Source: cve@mitre.org

Patch

https://github.com/WeblateOrg/weblate/issues/1317

Source: cve@mitre.org

Issue TrackingPatch

http://www.openwall.com/lists/oss-security/2017/01/18/11