CVE-2019-16394: Information Exposure

September 17, 2019 (updated September 25, 2019)

SPIP provides different error messages from the password-reminder page depending on whether an e-mail address exists, which might help attackers to enumerate subscribers.

References

blog.spip.net/Mise-a-jour-CRITIQUE-de-securite-Sortie-de-SPIP-3-2-5-et-SPIP-3-1-11.html
core.spip.net/issues/4171
nvd.nist.gov/vuln/detail/CVE-2019-16394
zone.spip.net/trac/spip-zone/changeset/117577/spip-zone
zone.spip.net/trac/spip-zone/changeset/117578/spip-zone

Detect and mitigate CVE-2019-16394 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →