weblate@4.3 vulnerabilities

A web-based continuous localization system with tight version control integration

Direct Vulnerabilities

Known vulnerabilities in the weblate package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
Information Exposure

Affected versions of this package are vulnerable to Information Exposure due to a flaw that allows one to log in without credentials after logging out, potentially causing sensitive data exposure.

How to fix Information Exposure?

Upgrade Weblate to version 4.18 or higher.

[,4.18)
  • M
Allocation of Resources Without Limits or Throttling

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the weblate/accounts/pipeline.py and weblate/accounts/views.py endpoints, due to missing rate limiting for the 'Remove Account' function.

Note:

This issue can lead to massive mailings.

How to fix Allocation of Resources Without Limits or Throttling?

Upgrade Weblate to version 4.14.2 or higher.

[,4.14.2)
  • H
Remote Code Execution (RCE)

Affected versions of this package are vulnerable to Remote Code Execution (RCE) via argument injection when using git or mercurial repositories. Authenticated users, can change the behavior of the application in an unintended way, leading to command execution.

How to fix Remote Code Execution (RCE)?

Upgrade Weblate to version 4.11.1 or higher.

[0,4.11.1)
  • M
Cross-site Scripting (XSS)

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via crafted user and language names.

How to fix Cross-site Scripting (XSS)?

Upgrade Weblate to version 4.11 or higher.

[,4.11)