CVE-2019-16394

high-risk
Published 2019-09-17

SPIP before 3.1.11 and 3.2 before 3.2.5 provides different error messages from the password-reminder page depending on whether an e-mail address exists, which might help attackers to enumerate subscribers.

Do I need to act?

!
56.7% chance of exploitation in next 30 days
EPSS score — higher than 43% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.3/10 Medium
NETWORK / LOW complexity

Affected Products (5)

Affected Vendors

Debian Canonical Spip

References (16)

Patch https://blog.spip.net/Mise-a-jour-CRITIQUE-de-securite-Sortie-de-SPIP-3-2-5-et-S...
Exploit https://core.spip.net/issues/4171
Mailing List https://lists.debian.org/debian-lts-announce/2019/10/msg00038.html
Mailing List https://seclists.org/bugtraq/2019/Sep/40
Third Party Advisory https://usn.ubuntu.com/4536-1/
Third Party Advisory https://www.debian.org/security/2019/dsa-4532
Patch https://zone.spip.net/trac/spip-zone/changeset/117577/spip-zone
Patch https://zone.spip.net/trac/spip-zone/changeset/117578/spip-zone
Patch https://blog.spip.net/Mise-a-jour-CRITIQUE-de-securite-Sortie-de-SPIP-3-2-5-et-S...
Exploit https://core.spip.net/issues/4171
Mailing List https://lists.debian.org/debian-lts-announce/2019/10/msg00038.html
Mailing List https://seclists.org/bugtraq/2019/Sep/40
Third Party Advisory https://usn.ubuntu.com/4536-1/
Third Party Advisory https://www.debian.org/security/2019/dsa-4532
Patch https://zone.spip.net/trac/spip-zone/changeset/117577/spip-zone
Patch https://zone.spip.net/trac/spip-zone/changeset/117578/spip-zone
51
/ 100
high-risk
Severity 21/34 · High
Exploitability 18/34 · Moderate
Exposure 12/34 · Low