All the vulnerabilites related to WeblateOrg - weblate
cve-2025-32021
Vulnerability from cvelistv5
Published
2025-04-15 20:39
Modified
2025-04-16 14:49
Severity ?
EPSS score ?
Summary
Weblate VCS credentials included in URL parameters are potentially logged and saved into browser history as plaintext
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/WeblateOrg/weblate/security/advisories/GHSA-m67m-3p5g-cw9j | x_refsource_CONFIRM | |
| https://github.com/WeblateOrg/weblate/releases/tag/weblate-5.11 | x_refsource_MISC |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| WeblateOrg | weblate |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-32021",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-16T14:40:58.239648Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-16T14:49:51.412Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/WeblateOrg/weblate/security/advisories/GHSA-m67m-3p5g-cw9j"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "weblate",
"vendor": "WeblateOrg",
"versions": [
{
"status": "affected",
"version": "\u003c 5.11"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Weblate is a web based localization tool. Prior to version 5.11, when creating a new component from an existing component that has a source code repository URL specified in settings, this URL is included in the client\u0027s URL parameters during the creation process. If, for example, the source code repository URL contains GitHub credentials, the confidential PAT and username are shown in plaintext and get saved into browser history. Moreover, if the request URL is logged, the credentials are written to logs in plaintext. If using Weblate official Docker image, nginx logs the URL and the token in plaintext. This issue is patched in version 5.11."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.2,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-598",
"description": "CWE-598: Use of GET Request Method With Sensitive Query Strings",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-15T20:39:09.253Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/WeblateOrg/weblate/security/advisories/GHSA-m67m-3p5g-cw9j",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/WeblateOrg/weblate/security/advisories/GHSA-m67m-3p5g-cw9j"
},
{
"name": "https://github.com/WeblateOrg/weblate/releases/tag/weblate-5.11",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/WeblateOrg/weblate/releases/tag/weblate-5.11"
}
],
"source": {
"advisory": "GHSA-m67m-3p5g-cw9j",
"discovery": "UNKNOWN"
},
"title": "Weblate VCS credentials included in URL parameters are potentially logged and saved into browser history as plaintext"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-32021",
"datePublished": "2025-04-15T20:39:09.253Z",
"dateReserved": "2025-04-01T21:57:32.955Z",
"dateUpdated": "2025-04-16T14:49:51.412Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2025-47951
Vulnerability from cvelistv5
Published
2025-06-16 20:57
Modified
2025-06-17 18:52
Severity ?
EPSS score ?
Summary
Weblate lacks rate limiting when verifying second factor
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/WeblateOrg/weblate/security/advisories/GHSA-57jg-m997-cx3q | x_refsource_CONFIRM | |
| https://github.com/WeblateOrg/weblate/pull/14918 | x_refsource_MISC | |
| https://github.com/WeblateOrg/weblate/commit/f806293451248c5d95e45b3b507e9d158bc4f384 | x_refsource_MISC | |
| https://hackerone.com/reports/3150564 | x_refsource_MISC | |
| https://github.com/WeblateOrg/weblate/releases/tag/weblate-5.12.1 | x_refsource_MISC |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| WeblateOrg | weblate |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-47951",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-17T18:49:15.267847Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-17T18:52:13.582Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "weblate",
"vendor": "WeblateOrg",
"versions": [
{
"status": "affected",
"version": "\u003c 5.12"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Weblate is a web based localization tool. Prior to version 5.12, the verification of the second factor was not subject to rate limiting. The absence of rate limiting on the second factor endpoint allows an attacker with valid credentials to automate OTP guessing. This issue has been patched in version 5.12."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-307",
"description": "CWE-307: Improper Restriction of Excessive Authentication Attempts",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-16T20:57:52.509Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/WeblateOrg/weblate/security/advisories/GHSA-57jg-m997-cx3q",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/WeblateOrg/weblate/security/advisories/GHSA-57jg-m997-cx3q"
},
{
"name": "https://github.com/WeblateOrg/weblate/pull/14918",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/WeblateOrg/weblate/pull/14918"
},
{
"name": "https://github.com/WeblateOrg/weblate/commit/f806293451248c5d95e45b3b507e9d158bc4f384",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/WeblateOrg/weblate/commit/f806293451248c5d95e45b3b507e9d158bc4f384"
},
{
"name": "https://hackerone.com/reports/3150564",
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/3150564"
},
{
"name": "https://github.com/WeblateOrg/weblate/releases/tag/weblate-5.12.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/WeblateOrg/weblate/releases/tag/weblate-5.12.1"
}
],
"source": {
"advisory": "GHSA-57jg-m997-cx3q",
"discovery": "UNKNOWN"
},
"title": "Weblate lacks rate limiting when verifying second factor"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-47951",
"datePublished": "2025-06-16T20:57:52.509Z",
"dateReserved": "2025-05-14T10:32:43.531Z",
"dateUpdated": "2025-06-17T18:52:13.582Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-24710
Vulnerability from cvelistv5
Published
2022-02-25 20:50
Modified
2025-04-23 19:00
Severity ?
EPSS score ?
Summary
Cross-site Scripting in Weblate
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| WeblateOrg | weblate |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:20:49.958Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/WeblateOrg/weblate/security/advisories/GHSA-6jp6-9rf9-gc66"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/WeblateOrg/weblate/commit/22d577b1f1e88665a88b4569380148030e0f8389"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/WeblateOrg/weblate/commit/9e19a8414337692cc90da2a91c9af5420f2952f1"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/WeblateOrg/weblate/commit/f6753a1a1c63fade6ad418fbda827c6750ab0bda"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-24710",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T14:09:54.483898Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T19:00:28.349Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "weblate",
"vendor": "WeblateOrg",
"versions": [
{
"status": "affected",
"version": "\u003c 4.11"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Weblate is a copyleft software web-based continuous localization system. Versions prior to 4.11 do not properly neutralize user input used in user name and language fields. Due to this improper neutralization it is possible to perform cross-site scripting via these fields. The issues were fixed in the 4.11 release. Users unable to upgrade are advised to add their own neutralize logic."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-02-25T20:50:10.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/WeblateOrg/weblate/security/advisories/GHSA-6jp6-9rf9-gc66"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/WeblateOrg/weblate/commit/22d577b1f1e88665a88b4569380148030e0f8389"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/WeblateOrg/weblate/commit/9e19a8414337692cc90da2a91c9af5420f2952f1"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/WeblateOrg/weblate/commit/f6753a1a1c63fade6ad418fbda827c6750ab0bda"
}
],
"source": {
"advisory": "GHSA-6jp6-9rf9-gc66",
"discovery": "UNKNOWN"
},
"title": "Cross-site Scripting in Weblate",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-24710",
"STATE": "PUBLIC",
"TITLE": "Cross-site Scripting in Weblate"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "weblate",
"version": {
"version_data": [
{
"version_value": "\u003c 4.11"
}
]
}
}
]
},
"vendor_name": "WeblateOrg"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Weblate is a copyleft software web-based continuous localization system. Versions prior to 4.11 do not properly neutralize user input used in user name and language fields. Due to this improper neutralization it is possible to perform cross-site scripting via these fields. The issues were fixed in the 4.11 release. Users unable to upgrade are advised to add their own neutralize logic."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/WeblateOrg/weblate/security/advisories/GHSA-6jp6-9rf9-gc66",
"refsource": "CONFIRM",
"url": "https://github.com/WeblateOrg/weblate/security/advisories/GHSA-6jp6-9rf9-gc66"
},
{
"name": "https://github.com/WeblateOrg/weblate/commit/22d577b1f1e88665a88b4569380148030e0f8389",
"refsource": "MISC",
"url": "https://github.com/WeblateOrg/weblate/commit/22d577b1f1e88665a88b4569380148030e0f8389"
},
{
"name": "https://github.com/WeblateOrg/weblate/commit/9e19a8414337692cc90da2a91c9af5420f2952f1",
"refsource": "MISC",
"url": "https://github.com/WeblateOrg/weblate/commit/9e19a8414337692cc90da2a91c9af5420f2952f1"
},
{
"name": "https://github.com/WeblateOrg/weblate/commit/f6753a1a1c63fade6ad418fbda827c6750ab0bda",
"refsource": "MISC",
"url": "https://github.com/WeblateOrg/weblate/commit/f6753a1a1c63fade6ad418fbda827c6750ab0bda"
}
]
},
"source": {
"advisory": "GHSA-6jp6-9rf9-gc66",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-24710",
"datePublished": "2022-02-25T20:50:11.000Z",
"dateReserved": "2022-02-10T00:00:00.000Z",
"dateUpdated": "2025-04-23T19:00:28.349Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2025-49134
Vulnerability from cvelistv5
Published
2025-06-16 21:03
Modified
2025-06-17 18:07
Severity ?
EPSS score ?
Summary
Weblate exposes personal IP address via e-mail
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/WeblateOrg/weblate/security/advisories/GHSA-4qqf-9m5c-w2c5 | x_refsource_CONFIRM | |
| https://github.com/WeblateOrg/weblate/pull/15102 | x_refsource_MISC | |
| https://github.com/WeblateOrg/weblate/commit/020b2905e4d001cff2452574d10e6cf3621b5f62 | x_refsource_MISC | |
| https://github.com/WeblateOrg/weblate/releases/tag/weblate-5.12.1 | x_refsource_MISC |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| WeblateOrg | weblate |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-49134",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-17T18:04:17.801449Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-17T18:07:38.620Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "weblate",
"vendor": "WeblateOrg",
"versions": [
{
"status": "affected",
"version": "\u003c 5.12"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Weblate is a web based localization tool. Prior to version 5.12, the audit log notifications included the full IP address of the acting user. This could be obtained by third-party servers such as SMTP relays, or spam filters. This issue has been patched in version 5.12."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 2.1,
"baseSeverity": "LOW",
"privilegesRequired": "HIGH",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-359",
"description": "CWE-359: Exposure of Private Personal Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-16T21:03:31.982Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/WeblateOrg/weblate/security/advisories/GHSA-4qqf-9m5c-w2c5",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/WeblateOrg/weblate/security/advisories/GHSA-4qqf-9m5c-w2c5"
},
{
"name": "https://github.com/WeblateOrg/weblate/pull/15102",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/WeblateOrg/weblate/pull/15102"
},
{
"name": "https://github.com/WeblateOrg/weblate/commit/020b2905e4d001cff2452574d10e6cf3621b5f62",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/WeblateOrg/weblate/commit/020b2905e4d001cff2452574d10e6cf3621b5f62"
},
{
"name": "https://github.com/WeblateOrg/weblate/releases/tag/weblate-5.12.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/WeblateOrg/weblate/releases/tag/weblate-5.12.1"
}
],
"source": {
"advisory": "GHSA-4qqf-9m5c-w2c5",
"discovery": "UNKNOWN"
},
"title": "Weblate exposes personal IP address via e-mail"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-49134",
"datePublished": "2025-06-16T21:03:31.982Z",
"dateReserved": "2025-06-02T10:39:41.633Z",
"dateUpdated": "2025-06-17T18:07:38.620Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-39303
Vulnerability from cvelistv5
Published
2024-07-01 18:46
Modified
2024-08-02 04:19
Severity ?
EPSS score ?
Summary
Weblate vulnerabler to improper sanitization of project backups
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/WeblateOrg/weblate/security/advisories/GHSA-jfgp-674x-6q4p | x_refsource_CONFIRM | |
| https://github.com/WeblateOrg/weblate/commit/b6a7eace155fa0feaf01b4ac36165a9c5e63bfdd | x_refsource_MISC |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| WeblateOrg | weblate |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-39303",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-01T20:50:23.895788Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-01T20:50:32.040Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:19:20.681Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/WeblateOrg/weblate/security/advisories/GHSA-jfgp-674x-6q4p",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/WeblateOrg/weblate/security/advisories/GHSA-jfgp-674x-6q4p"
},
{
"name": "https://github.com/WeblateOrg/weblate/commit/b6a7eace155fa0feaf01b4ac36165a9c5e63bfdd",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/WeblateOrg/weblate/commit/b6a7eace155fa0feaf01b4ac36165a9c5e63bfdd"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "weblate",
"vendor": "WeblateOrg",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.14, \u003c 5.6.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Weblate is a web based localization tool. Prior to version 5.6.2, Weblate didn\u0027t correctly validate filenames when restoring project backup. It may be possible to gain unauthorized access to files on the server using a crafted ZIP file. This issue has been addressed in Weblate 5.6.2. As a workaround, do not allow untrusted users to create projects."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-73",
"description": "CWE-73: External Control of File Name or Path",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-01T18:46:18.183Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/WeblateOrg/weblate/security/advisories/GHSA-jfgp-674x-6q4p",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/WeblateOrg/weblate/security/advisories/GHSA-jfgp-674x-6q4p"
},
{
"name": "https://github.com/WeblateOrg/weblate/commit/b6a7eace155fa0feaf01b4ac36165a9c5e63bfdd",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/WeblateOrg/weblate/commit/b6a7eace155fa0feaf01b4ac36165a9c5e63bfdd"
}
],
"source": {
"advisory": "GHSA-jfgp-674x-6q4p",
"discovery": "UNKNOWN"
},
"title": "Weblate vulnerabler to improper sanitization of project backups"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-39303",
"datePublished": "2024-07-01T18:46:18.183Z",
"dateReserved": "2024-06-21T18:15:22.258Z",
"dateUpdated": "2024-08-02T04:19:20.681Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}