| Bug ID | 1020745 |
|---|---|
| Summary | VUL-1: weblate: information disclosure in password reset form |
| Classification | openSUSE |
| Product | openSUSE Distribution |
| Version | Leap 42.2 |
| Hardware | Other |
| OS | Other |
| Status | NEW |
| Severity | Normal |
| Priority | P5 - None |
| Component | Security |
| Assignee | security-team@suse.de |
| Reporter | mikhail.kasimov@gmail.com |
| QA Contact | qa-bugs@suse.de |
| Found By | --- |
| Blocker | --- |
Ref: http://seclists.org/oss-sec/2017/q1/135 ============================================== Weblate contains an information disclosure issue in it's password reset form. When entering an arbitrary email address in the password reset form Weblate will report back "User with this email address was not found." this makes it possible to figure out which user accounts exist on the weblate instance. Affected: weblate 2.10 and earlier. Upstream patch: https://github.com/WeblateOrg/weblate/commit/abe0d2a29a1d8e896bfe829c8461bf8b391f1079 Bug report: https://github.com/WeblateOrg/weblate/issues/1317 ============================================== https://software.opensuse.org/package/weblate SLE12: M17N:l10n.opensuse.org 2.6 M17N:l10n.opensuse.org 2.8 Unsupported distros: M17N:l10n.opensuse.org 2.5 M17N:l10n.opensuse.org 2.8 Other versions are in home: repos, which are not under official support.