Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-jfgp-674x-6q4p: Weblate vulnerable to improper sanitization of project backups

Impact

Weblate didn’t correctly validate filenames when restoring project backup. It may be possible to gain unauthorized access to files on the server using a crafted ZIP file.

Patches

This issue has been addressed in Weblate 5.6.2 via https://github.com/WeblateOrg/weblate/commit/b6a7eace155fa0feaf01b4ac36165a9c5e63bfdd.

Workarounds

Do not allow project creation to untrusted users.

References

Thanks to Bryan Cahill for bringing this issue to our attention.

For more information

If you have any questions or comments about this advisory:

ghsa
#vulnerability#web#git#auth

Skip to content

Navigation Menu

    • Actions

      Automate any workflow

    • Packages

      Host and manage packages

    • Security

      Find and fix vulnerabilities

    • Codespaces

      Instant dev environments

    • GitHub Copilot

      Write better code with AI

    • Code review

      Manage code changes

    • Issues

      Plan and track work

    • Discussions

      Collaborate outside of code

    • GitHub Sponsors

      Fund open source developers

*   The ReadME Project
    
    GitHub community articles
    • Enterprise platform

      AI-powered developer platform

  • Pricing

Provide feedback

Saved searches****Use saved searches to filter your results more quickly

Sign up

  1. GitHub Advisory Database
  2. GitHub Reviewed
  3. CVE-2024-39303

Weblate vulnerable to improper sanitization of project backups

Moderate severity GitHub Reviewed Published Jul 1, 2024 in WeblateOrg/weblate • Updated Jul 1, 2024

Package

pip Weblate (pip)

Affected versions

>= 4.14, < 5.6.2

Description

Impact

Weblate didn’t correctly validate filenames when restoring project backup. It may be possible to gain unauthorized access to
files on the server using a crafted ZIP file.

Patches

This issue has been addressed in Weblate 5.6.2 via WeblateOrg/weblate@b6a7eac.

Workarounds

Do not allow project creation to untrusted users.

References

Thanks to Bryan Cahill for bringing this issue to our attention.

For more information

If you have any questions or comments about this advisory:

References

  • GHSA-jfgp-674x-6q4p
  • WeblateOrg/weblate@b6a7eac

Published to the GitHub Advisory Database

Jul 1, 2024

ghsa: Latest News

GHSA-hqmp-g7ph-x543: TunnelVision - decloaking VPNs using DHCP