Vulnerability Details : CVE-2017-5537
The password reset form in Weblate before 2.10.1 provides different error messages depending on whether the email address is associated with an account, which allows remote attackers to enumerate user accounts via a series of requests.
Vulnerability category: Information leak
Products affected by CVE-2017-5537
- cpe:2.3:a:weblate:weblate:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2017-5537
0.38%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 69 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2017-5537
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:N/A:N |
10.0
|
2.9
|
NIST | |
5.3
|
MEDIUM | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
3.9
|
1.4
|
NIST |
CWE ids for CVE-2017-5537
-
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.Assigned by: nvd@nist.gov (Primary)
References for CVE-2017-5537
-
http://www.openwall.com/lists/oss-security/2017/01/18/11
oss-security - CVE request Weblate: information disclosure in password reset formMailing List;Patch
-
https://github.com/WeblateOrg/weblate/commit/abe0d2a29a1d8e896bfe829c8461bf8b391f1079
Do not show validation error on password reset · WeblateOrg/weblate@abe0d2a · GitHubPatch
-
http://www.securityfocus.com/bid/95676
Weblate CVE-2017-5537 Information Disclosure VulnerabilityThird Party Advisory;VDB Entry
-
https://github.com/WeblateOrg/weblate/issues/1317
The existence of a weblate account is guessable (CVE-2017-5537) · Issue #1317 · WeblateOrg/weblate · GitHubIssue Tracking;Patch
-
http://www.openwall.com/lists/oss-security/2017/01/20/1
oss-security - Re: CVE request Weblate: information disclosure in password reset formMailing List;Patch
-
https://github.com/WeblateOrg/weblate/blob/weblate-2.10.1/docs/changes.rst
weblate/changes.rst at weblate-2.10.1 · WeblateOrg/weblate · GitHubPatch;Release Notes
Jump to