Bugzilla – Bug 1020745
VUL-1: CVE-2017-5537: weblate: information disclosure in password reset form
Last modified: 2017-10-26 05:49:09 UTC
Weblate contains an information disclosure issue in it's password reset
form. When entering an arbitrary email address in the password reset
form Weblate will report back "User with this email address was not
found." this makes it possible to figure out which user accounts exist
on the weblate instance.
Affected: weblate 2.10 and earlier.
Other versions are in home: repos, which are not under official support.
bugbot adjusting priority
I see that the deployment on https://l10n.opensuse.org/ runs SSO integration, so this would only affect the vanilla package.