Homepage
About Snyk

weblate@2.8 vulnerabilities

A web-based continuous localization system with tight version control integration

Go back to all versions of this package
Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the weblate package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
Information Exposure

Affected versions of this package are vulnerable to Information Exposure due to a flaw that allows one to log in without credentials after logging out, potentially causing sensitive data exposure.

How to fix Information Exposure?

Upgrade Weblate to version 4.18 or higher.

[,4.18)
  • M
Insufficient Session Expiration

Affected versions of this package are vulnerable to Insufficient Session Expiration when users may be allowed to modify their password, but the session credentials continue to be operational even after the password has been altered.

How to fix Insufficient Session Expiration?

Upgrade Weblate to version 2.14 or higher.

[,2.14)
  • H
Denial of Service (DoS)

Affected versions of this package are vulnerable to Denial of Service (DoS) in weblate/accounts/forms.py.

How to fix Denial of Service (DoS)?

Upgrade Weblate to version 2.14 or higher.

[,2.14)
  • M
User Interface (UI) Misrepresentation of Critical Information

Affected versions of this package are vulnerable to User Interface (UI) Misrepresentation of Critical Information due to missing checks in the weblate/trans/forms.py file.

How to fix User Interface (UI) Misrepresentation of Critical Information?

Upgrade Weblate to version 2.14 or higher.

[,2.14)
  • M
Cross-site Request Forgery (CSRF)

Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) due to insufficient checks in the /trans/views/error.py file.

How to fix Cross-site Request Forgery (CSRF)?

Upgrade Weblate to version 4.3 or higher.

[,4.3)
  • M
CSV Injection

Affected versions of this package are vulnerable to CSV Injection due to insufficient checks in the weblate/trans/exporters.py endpoint, via the CSV export feature.

How to fix CSV Injection?

Upgrade Weblate to version 2.14 or higher.

[,2.14)
  • M
Cross-site Scripting (XSS)

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to improper user-input sanitization in the Editor Link field.

How to fix Cross-site Scripting (XSS)?

Upgrade Weblate to version 2.14 or higher.

[,2.14)
  • M
Allocation of Resources Without Limits or Throttling

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the weblate/accounts/pipeline.py and weblate/accounts/views.py endpoints, due to missing rate limiting for the 'Remove Account' function.

Note:

This issue can lead to massive mailings.

How to fix Allocation of Resources Without Limits or Throttling?

Upgrade Weblate to version 4.14.2 or higher.

[,4.14.2)
  • H
Remote Code Execution (RCE)

Affected versions of this package are vulnerable to Remote Code Execution (RCE) via argument injection when using git or mercurial repositories. Authenticated users, can change the behavior of the application in an unintended way, leading to command execution.

How to fix Remote Code Execution (RCE)?

Upgrade Weblate to version 4.11.1 or higher.

[0,4.11.1)
  • M
Cross-site Scripting (XSS)

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via crafted user and language names.

How to fix Cross-site Scripting (XSS)?

Upgrade Weblate to version 4.11 or higher.

[,4.11)
  • M
Information Exposure

weblate is a web-based translation tool with tight version control integration The password reset form in Weblate before 2.10.1 provides different error messages depending on whether the email address is associated with an account, which allows remote attackers to enumerate user accounts via a series of requests.

[,2.10.1)
Go back to all versions of this package