http://bugzilla.opensuse.org/show_bug.cgi?id=1020745 Bug ID: 1020745 Summary: VUL-1: weblate: information disclosure in password reset form Classification: openSUSE Product: openSUSE Distribution Version: Leap 42.2 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: mikhail.kasimov@gmail.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- Ref: http://seclists.org/oss-sec/2017/q1/135 ============================================== Weblate contains an information disclosure issue in it's password reset form. When entering an arbitrary email address in the password reset form Weblate will report back "User with this email address was not found." this makes it possible to figure out which user accounts exist on the weblate instance. Affected: weblate 2.10 and earlier. Upstream patch: https://github.com/WeblateOrg/weblate/commit/abe0d2a29a1d8e896bfe829c8461bf8... Bug report: https://github.com/WeblateOrg/weblate/issues/1317 ============================================== https://software.opensuse.org/package/weblate SLE12: M17N:l10n.opensuse.org 2.6 M17N:l10n.opensuse.org 2.8 Unsupported distros: M17N:l10n.opensuse.org 2.5 M17N:l10n.opensuse.org 2.8 Other versions are in home: repos, which are not under official support. -- You are receiving this mail because: You are on the CC list for the bug.