Weblate
Monthly
Weblate versions prior to 5.16.1 fail to properly restrict API access to addon data, allowing authenticated users to enumerate and access all addons across every project and component in the system. An attacker with valid credentials can query the REST API endpoints to retrieve sensitive addon information that should be scoped to their assigned permissions. This information disclosure vulnerability is fixed in version 5.16.1.
Weblate versions up to 5.16.0 contains a vulnerability that allows attackers to an argument injection to `ssh-add` (CVSS 6.6).
Weblate versions prior to 5.15.2 expose screenshot images through the web server without authentication controls, enabling unauthenticated attackers to retrieve sensitive screenshots by predicting their filenames. This improper access control flaw affects all users whose screenshot content should be restricted. A patch is available in version 5.15.2 and later.
Weblate is a web based localization tool. Rated low severity (CVSS 2.6), this vulnerability is remotely exploitable.
Weblate is a web based localization tool. An open redirect exists in versions 5.13.2 and below via the redir parameter on .within.website when Weblate is configured with Anubis and REDIRECT_DOMAINS is not set. An attacker can craft a URL on the legitimate domain that redirects a victim to an attacker-controlled site. The redirect can also be used to initiate drive-by downloads (redirecting to a URL that serves a malicious file), increasing the risk to end users. This issue is fixed in version 5.13.3.
Weblate is a web based localization tool. Rated low severity (CVSS 2.1), this vulnerability is remotely exploitable.
A security vulnerability in Weblate (CVSS 5.3). Remediation should follow standard vulnerability management procedures. Vendor patch is available.
Weblate is a web based localization tool. Prior to version 5.12, the verification of the second factor was not subject to rate limiting. The absence of rate limiting on the second factor endpoint allows an attacker with valid credentials to automate OTP guessing. This issue has been patched in version 5.12.
Weblate is a web based localization tool. Rated low severity (CVSS 2.2), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.
Weblate versions prior to 5.16.1 fail to properly restrict API access to addon data, allowing authenticated users to enumerate and access all addons across every project and component in the system. An attacker with valid credentials can query the REST API endpoints to retrieve sensitive addon information that should be scoped to their assigned permissions. This information disclosure vulnerability is fixed in version 5.16.1.
Weblate versions up to 5.16.0 contains a vulnerability that allows attackers to an argument injection to `ssh-add` (CVSS 6.6).
Weblate versions prior to 5.15.2 expose screenshot images through the web server without authentication controls, enabling unauthenticated attackers to retrieve sensitive screenshots by predicting their filenames. This improper access control flaw affects all users whose screenshot content should be restricted. A patch is available in version 5.15.2 and later.
Weblate is a web based localization tool. Rated low severity (CVSS 2.6), this vulnerability is remotely exploitable.
Weblate is a web based localization tool. An open redirect exists in versions 5.13.2 and below via the redir parameter on .within.website when Weblate is configured with Anubis and REDIRECT_DOMAINS is not set. An attacker can craft a URL on the legitimate domain that redirects a victim to an attacker-controlled site. The redirect can also be used to initiate drive-by downloads (redirecting to a URL that serves a malicious file), increasing the risk to end users. This issue is fixed in version 5.13.3.
Weblate is a web based localization tool. Rated low severity (CVSS 2.1), this vulnerability is remotely exploitable.
A security vulnerability in Weblate (CVSS 5.3). Remediation should follow standard vulnerability management procedures. Vendor patch is available.
Weblate is a web based localization tool. Prior to version 5.12, the verification of the second factor was not subject to rate limiting. The absence of rate limiting on the second factor endpoint allows an attacker with valid credentials to automate OTP guessing. This issue has been patched in version 5.12.
Weblate is a web based localization tool. Rated low severity (CVSS 2.2), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.