CVE-2017-5537

Medium

The password reset form in Weblate before 2.10.1 provides different error messages depending on whether the email address is associated…

mitre·CWE-200·Published 2017-03-15

CVSS

5.3

EPSS

0.02

KEV

Exploits

cve.orgen

235 chars

The password reset form in Weblate before 2.10.1 provides different error messages depending on whether the email address is associated with an account, which allows remote attackers to enumerate user accounts via a series of requests.

NVDen

235 chars

OSV.deven

235 chars

GHSAen

235 chars

NVDes

316 chars

El formulario de restablecimiento de contraseña en Weblate en versiones anteriores a 2.10.1 proporciona diferentes mensajes de error dependiendo de si la dirección de correo electrónico está asociada con una cuenta, lo que permite a atacantes remotos enumerar cuentas de usuario a través de una serie de solicitudes.

CVSS metrics across sources

Version	Type	Source	Base	Exp	Impact	Vector
2.0	Primary	NVD	5.0	10.0	2.9	AV:N/AC:L/Au:N/C:P/I:N/A:N
3.0	Primary	NVD	5.3	3.9	1.4	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
3.1	Secondary	GHSA	5.3	—	—	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
4.0	Secondary	GHSA	6.9	—	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N