SPIP before 3.1.11 and 3.2 before 3.2.5 provides different error messages from the password-reminder page depending on whether an e-mail address exists, which might help attackers to enumerate subscribers.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Debian | 12 | all | spip | < 3.2.5-1 | spip_3.2.5-1_all.deb |
Debian | 11 | all | spip | < 3.2.5-1 | spip_3.2.5-1_all.deb |
Debian | 10 | all | spip | < 3.2.4-1+deb10u1 | spip_3.2.4-1+deb10u1_all.deb |
Debian | 999 | all | spip | < 3.2.5-1 | spip_3.2.5-1_all.deb |
Debian | 13 | all | spip | < 3.2.5-1 | spip_3.2.5-1_all.deb |