All the vulnerabilites related to tolgee - tolgee-platform
cve-2024-32470
Vulnerability from cvelistv5
Published
2024-04-18 15:05
Modified
2024-08-02 02:13
Severity ?
EPSS score ?
Summary
Tolgee' API keys created by server admin users bypass the permission check
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| tolgee | tolgee-platform |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:tolgee:tolgee:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "tolgee",
"vendor": "tolgee",
"versions": [
{
"status": "affected",
"version": "*"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-32470",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-23T00:20:13.964082Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:50:17.850Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T02:13:39.286Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/tolgee/tolgee-platform/security/advisories/GHSA-pm57-hcm8-38gw",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/tolgee/tolgee-platform/security/advisories/GHSA-pm57-hcm8-38gw"
},
{
"name": "https://github.com/tolgee/tolgee-platform/security/advisories/GHSA-r95p-fqqv-fppc",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/tolgee/tolgee-platform/security/advisories/GHSA-r95p-fqqv-fppc"
},
{
"name": "https://github.com/tolgee/tolgee-platform/commit/a0d861028d931f8a54387770eaf3a75031b81234",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/tolgee/tolgee-platform/commit/a0d861028d931f8a54387770eaf3a75031b81234"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "tolgee-platform",
"vendor": "tolgee",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.57.2, \u003c 3.57.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Tolgee is an open-source localization platform. When API key created by admin user is used it bypasses the permission check at all. This error was introduced in v3.57.2 and immediately fixed in v3.57.4. "
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-18T15:05:26.408Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/tolgee/tolgee-platform/security/advisories/GHSA-pm57-hcm8-38gw",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/tolgee/tolgee-platform/security/advisories/GHSA-pm57-hcm8-38gw"
},
{
"name": "https://github.com/tolgee/tolgee-platform/security/advisories/GHSA-r95p-fqqv-fppc",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/tolgee/tolgee-platform/security/advisories/GHSA-r95p-fqqv-fppc"
},
{
"name": "https://github.com/tolgee/tolgee-platform/commit/a0d861028d931f8a54387770eaf3a75031b81234",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/tolgee/tolgee-platform/commit/a0d861028d931f8a54387770eaf3a75031b81234"
}
],
"source": {
"advisory": "GHSA-pm57-hcm8-38gw",
"discovery": "UNKNOWN"
},
"title": "Tolgee\u0027 API keys created by server admin users bypass the permission check"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-32470",
"datePublished": "2024-04-18T15:05:26.408Z",
"dateReserved": "2024-04-12T19:41:51.167Z",
"dateUpdated": "2024-08-02T02:13:39.286Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-41316
Vulnerability from cvelistv5
Published
2023-09-07 19:39
Modified
2024-09-26 14:12
Severity ?
EPSS score ?
Summary
HTML Injection with email in Tolgee
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/tolgee/tolgee-platform/security/advisories/GHSA-gx3w-rwh5-w5cg | x_refsource_CONFIRM | |
| https://github.com/tolgee/tolgee-platform/commit/bab718b1c9b3e90327bfb10d27b9799996e5c35b | x_refsource_MISC |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| tolgee | tolgee-platform |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T18:54:05.181Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/tolgee/tolgee-platform/security/advisories/GHSA-gx3w-rwh5-w5cg",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/tolgee/tolgee-platform/security/advisories/GHSA-gx3w-rwh5-w5cg"
},
{
"name": "https://github.com/tolgee/tolgee-platform/commit/bab718b1c9b3e90327bfb10d27b9799996e5c35b",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/tolgee/tolgee-platform/commit/bab718b1c9b3e90327bfb10d27b9799996e5c35b"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:tolgee:tolgee:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "tolgee",
"vendor": "tolgee",
"versions": [
{
"lessThan": "3.29.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-41316",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-26T14:00:12.956222Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-26T14:12:50.570Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "tolgee-platform",
"vendor": "tolgee",
"versions": [
{
"status": "affected",
"version": "\u003c 3.29.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Tolgee is an open-source localization platform. Due to lack of validation field - Org Name, bad actor can send emails with HTML injected code to the victims. Registered users can inject HTML into unsanitized emails from the Tolgee instance to other users. This unsanitized HTML ends up in invitation emails which appear as legitimate org invitations. Bad actors may direct users to malicious website or execute javascript in the context of the users browser. This vulnerability has been addressed in version 3.29.2. Users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-09-07T19:39:07.916Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/tolgee/tolgee-platform/security/advisories/GHSA-gx3w-rwh5-w5cg",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/tolgee/tolgee-platform/security/advisories/GHSA-gx3w-rwh5-w5cg"
},
{
"name": "https://github.com/tolgee/tolgee-platform/commit/bab718b1c9b3e90327bfb10d27b9799996e5c35b",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/tolgee/tolgee-platform/commit/bab718b1c9b3e90327bfb10d27b9799996e5c35b"
}
],
"source": {
"advisory": "GHSA-gx3w-rwh5-w5cg",
"discovery": "UNKNOWN"
},
"title": "HTML Injection with email in Tolgee"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-41316",
"datePublished": "2023-09-07T19:39:07.916Z",
"dateReserved": "2023-08-28T16:56:43.365Z",
"dateUpdated": "2024-09-26T14:12:50.570Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-32466
Vulnerability from cvelistv5
Published
2024-04-18 15:02
Modified
2024-08-02 02:13
Severity ?
EPSS score ?
Summary
Tolgee's API key scopes not checked when querying translation data
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/tolgee/tolgee-platform/security/advisories/GHSA-r95p-fqqv-fppc | x_refsource_CONFIRM | |
| https://github.com/tolgee/tolgee-platform/commit/f71213925d6f80019f841db0ead9baa7488c1821 | x_refsource_MISC |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| tolgee | tolgee-platform |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-32466",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-03T15:04:29.774849Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-05T17:22:58.939Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T02:13:39.097Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/tolgee/tolgee-platform/security/advisories/GHSA-r95p-fqqv-fppc",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/tolgee/tolgee-platform/security/advisories/GHSA-r95p-fqqv-fppc"
},
{
"name": "https://github.com/tolgee/tolgee-platform/commit/f71213925d6f80019f841db0ead9baa7488c1821",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/tolgee/tolgee-platform/commit/f71213925d6f80019f841db0ead9baa7488c1821"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "tolgee-platform",
"vendor": "tolgee",
"versions": [
{
"status": "affected",
"version": "\u003c 3.57.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Tolgee is an open-source localization platform. For the `/v2/projects/translations` and `/v2/projects/{projectId}/translations` endpoints, translation data was returned even when API key was missing `translation.view` scope. However, it was impossible to fetch the data when user was missing this scope. So this is only relevant for API keys generated by users permitted to `translation.view`. This vulnerability is fixed in v3.57.2\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-18T15:02:43.803Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/tolgee/tolgee-platform/security/advisories/GHSA-r95p-fqqv-fppc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/tolgee/tolgee-platform/security/advisories/GHSA-r95p-fqqv-fppc"
},
{
"name": "https://github.com/tolgee/tolgee-platform/commit/f71213925d6f80019f841db0ead9baa7488c1821",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/tolgee/tolgee-platform/commit/f71213925d6f80019f841db0ead9baa7488c1821"
}
],
"source": {
"advisory": "GHSA-r95p-fqqv-fppc",
"discovery": "UNKNOWN"
},
"title": "Tolgee\u0027s API key scopes not checked when querying translation data"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-32466",
"datePublished": "2024-04-18T15:02:43.803Z",
"dateReserved": "2024-04-12T19:41:51.165Z",
"dateUpdated": "2024-08-02T02:13:39.097Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-52297
Vulnerability from cvelistv5
Published
2024-11-12 15:54
Modified
2024-11-12 18:37
Severity ?
EPSS score ?
Summary
Tolgee's configuration all configuration properties leaked in public configuration DTO
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| tolgee | tolgee-platform |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:tolgee:tolgee:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "tolgee",
"vendor": "tolgee",
"versions": [
{
"lessThanOrEqual": "3.81.1",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "3.81.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-52297",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-12T18:36:23.377607Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-12T18:37:23.313Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "tolgee-platform",
"vendor": "tolgee",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.81.1, \u003c 3.81.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Tolgee is an open-source localization platform. Tolgee 3.81.1 included the all configuration properties in the PublicConfiguratioDTO publicly exposed to users. This vulnerability is fixed in v3.81.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-12T15:54:29.775Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/tolgee/tolgee-platform/security/advisories/GHSA-3wr3-889v-pgcj",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/tolgee/tolgee-platform/security/advisories/GHSA-3wr3-889v-pgcj"
},
{
"name": "https://github.com/tolgee/tolgee-platform/pull/2481/files#diff-d16735590f0f2db7cd782e2966fa18426b94b5e4030fa8b1f5e00cd55686fe7f",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/tolgee/tolgee-platform/pull/2481/files#diff-d16735590f0f2db7cd782e2966fa18426b94b5e4030fa8b1f5e00cd55686fe7f"
},
{
"name": "https://github.com/tolgee/tolgee-platform/pull/2689/files",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/tolgee/tolgee-platform/pull/2689/files"
}
],
"source": {
"advisory": "GHSA-3wr3-889v-pgcj",
"discovery": "UNKNOWN"
},
"title": "Tolgee\u0027s configuration all configuration properties leaked in public configuration DTO"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-52297",
"datePublished": "2024-11-12T15:54:29.775Z",
"dateReserved": "2024-11-06T19:00:26.395Z",
"dateUpdated": "2024-11-12T18:37:23.313Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-38510
Vulnerability from cvelistv5
Published
2023-07-27 18:57
Modified
2024-10-03 18:36
Severity ?
EPSS score ?
Summary
Tolgee Lacks Permission Check for API Key for some endpoints
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/tolgee/tolgee-platform/security/advisories/GHSA-4f9j-4vh4-p85v | x_refsource_CONFIRM | |
| https://github.com/tolgee/tolgee-platform/pull/1818 | x_refsource_MISC | |
| https://github.com/tolgee/tolgee-platform/commit/4776cba67e7bb8c1b0259376e3e5fa3bb46e45c7 | x_refsource_MISC | |
| https://github.com/tolgee/tolgee-platform/releases/tag/v3.23.1 | x_refsource_MISC |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| tolgee | tolgee-platform |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T17:46:55.143Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/tolgee/tolgee-platform/security/advisories/GHSA-4f9j-4vh4-p85v",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/tolgee/tolgee-platform/security/advisories/GHSA-4f9j-4vh4-p85v"
},
{
"name": "https://github.com/tolgee/tolgee-platform/pull/1818",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/tolgee/tolgee-platform/pull/1818"
},
{
"name": "https://github.com/tolgee/tolgee-platform/commit/4776cba67e7bb8c1b0259376e3e5fa3bb46e45c7",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/tolgee/tolgee-platform/commit/4776cba67e7bb8c1b0259376e3e5fa3bb46e45c7"
},
{
"name": "https://github.com/tolgee/tolgee-platform/releases/tag/v3.23.1",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/tolgee/tolgee-platform/releases/tag/v3.23.1"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:tolgee:tolgee:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "tolgee",
"vendor": "tolgee",
"versions": [
{
"lessThan": "3.23.1",
"status": "affected",
"version": "3.14.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-38510",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-03T18:35:54.292300Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-03T18:36:37.229Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "tolgee-platform",
"vendor": "tolgee",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.14.0, \u003c 3.23.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Tolgee is an open-source localization platform. Starting in version 3.14.0 and prior to version 3.23.1, when a request is made using an API key, the backend fails to verify the permission scopes associated with the key, effectively bypassing permission checks entirely for some endpoints. It\u0027s important to note that this vulnerability only affects projects that have inadvertently exposed their API keys on the internet. Projects that have kept their API keys secure are not impacted. This issue is fixed in version 3.23.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-27T18:57:28.197Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/tolgee/tolgee-platform/security/advisories/GHSA-4f9j-4vh4-p85v",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/tolgee/tolgee-platform/security/advisories/GHSA-4f9j-4vh4-p85v"
},
{
"name": "https://github.com/tolgee/tolgee-platform/pull/1818",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/tolgee/tolgee-platform/pull/1818"
},
{
"name": "https://github.com/tolgee/tolgee-platform/commit/4776cba67e7bb8c1b0259376e3e5fa3bb46e45c7",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/tolgee/tolgee-platform/commit/4776cba67e7bb8c1b0259376e3e5fa3bb46e45c7"
},
{
"name": "https://github.com/tolgee/tolgee-platform/releases/tag/v3.23.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/tolgee/tolgee-platform/releases/tag/v3.23.1"
}
],
"source": {
"advisory": "GHSA-4f9j-4vh4-p85v",
"discovery": "UNKNOWN"
},
"title": "Tolgee Lacks Permission Check for API Key for some endpoints"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-38510",
"datePublished": "2023-07-27T18:57:28.197Z",
"dateReserved": "2023-07-18T16:28:12.078Z",
"dateUpdated": "2024-10-03T18:36:37.229Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}