GHSA-jfgp-674x-6q4p: Weblate vulnerable to improper sanitization of project backups

Skip to content

Navigation Menu

• • Actions

    Automate any workflow

  • Packages

    Host and manage packages

  • Security

    Find and fix vulnerabilities

  • Codespaces

    Instant dev environments

  • GitHub Copilot

    Write better code with AI

  • Code review

    Manage code changes

  • Issues

    Plan and track work

  • Discussions

    Collaborate outside of code

• • GitHub Sponsors

    Fund open source developers

*   The ReadME Project
    
    GitHub community articles

• • Enterprise platform

    AI-powered developer platform

• Pricing

Provide feedback

Saved searches****Use saved searches to filter your results more quickly

Sign up

1. GitHub Advisory Database
2. GitHub Reviewed
3. CVE-2024-39303

Weblate vulnerable to improper sanitization of project backups

Moderate severity GitHub Reviewed Published Jul 1, 2024 in WeblateOrg/weblate • Updated Jul 1, 2024

Package

pip Weblate (pip)

Affected versions

>= 4.14, < 5.6.2

Description

Impact

Weblate didn’t correctly validate filenames when restoring project backup. It may be possible to gain unauthorized access to
files on the server using a crafted ZIP file.

Patches

This issue has been addressed in Weblate 5.6.2 via WeblateOrg/weblate@b6a7eac.

Workarounds

Do not allow project creation to untrusted users.

References

Thanks to Bryan Cahill for bringing this issue to our attention.

For more information

If you have any questions or comments about this advisory:

• Open a topic in discussions
• Email us at [email protected]

References

• GHSA-jfgp-674x-6q4p
• WeblateOrg/weblate@b6a7eac

Published to the GitHub Advisory Database

Jul 1, 2024