Medium severity5.3NVD Advisory· Published Mar 15, 2017· Updated May 13, 2026
CVE-2017-5537
CVE-2017-5537
Description
The password reset form in Weblate before 2.10.1 provides different error messages depending on whether the email address is associated with an account, which allows remote attackers to enumerate user accounts via a series of requests.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
weblatePyPI | < 2.10.1 | 2.10.1 |
Affected products
1Patches
1abe0d2a29a1dDo not show validation error on password reset
2 files changed · +19 −0
weblate/accounts/tests/test_registration.py+17 −0 modified@@ -210,6 +210,23 @@ def test_reset(self): self.assert_registration('[Weblate] Password reset on Weblate') + def test_reset_nonexisting(self): + ''' + Test for password reset. + ''' + response = self.client.get( + reverse('password_reset'), + ) + self.assertContains(response, 'Reset my password') + response = self.client.post( + reverse('password_reset'), + { + 'email': 'test@example.com' + } + ) + self.assertRedirects(response, reverse('email-sent')) + self.assertEqual(len(mail.outbox), 0) + def test_reset_twice(self): ''' Test for password reset.
weblate/accounts/views.py+2 −0 modified@@ -572,6 +572,8 @@ def reset_password(request): request.session['password_reset'] = True return complete(request, 'email') + else: + return redirect('email-sent') else: form = ResetForm()
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
9- www.openwall.com/lists/oss-security/2017/01/18/11nvdMailing ListPatchWEB
- www.openwall.com/lists/oss-security/2017/01/20/1nvdMailing ListPatchWEB
- github.com/WeblateOrg/weblate/blob/weblate-2.10.1/docs/changes.rstnvdPatchRelease NotesWEB
- github.com/WeblateOrg/weblate/commit/abe0d2a29a1d8e896bfe829c8461bf8b391f1079nvdPatchWEB
- github.com/WeblateOrg/weblate/issues/1317nvdIssue TrackingPatchWEB
- www.securityfocus.com/bid/95676nvdThird Party AdvisoryVDB EntryWEB
- github.com/advisories/GHSA-j24g-gm76-j829ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2017-5537ghsaADVISORY
- github.com/pypa/advisory-database/tree/main/vulns/weblate/PYSEC-2017-42.yamlghsaWEB
News mentions
0No linked articles in our index yet.