full path disclosure at hosted.weblate.org/admin/accounts/profile/

Browsing this link https://hosted.weblate.org/admin/accounts/profile/ will ask for admin username and password as asked when browsing https://hosted.weblate.org/admin/accounts/ or https://hosted.weblate.org/admin/ hence disclosing the directory path of forbidden area. screenshot : path.png also it is found that there is no rate limiting enforced at https://hosted.weblate.org/admin/login/?next=/admin/ hence attacker can break into staffs account by brute forcing. screenshot : login.png