Snyk has a proof-of-concept or detailed explanation of how to exploit this vulnerability.
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsUpgrade Weblate
to version 5.11 or higher.
Affected versions of this package are vulnerable to Use of GET Request Method With Sensitive Query Strings when a new component is created based on an existing one with a source code repository URL, this URL, including any embedded credentials (like a GitHub Personal Access Token and username), is passed as plain text in the client's URL parameters. An attacker can gain access to private repositories containing sensitive source code by exploiting server logs or browser history, where these credentials are stored in plaintext.
Create a component that has the Repository push URL setting configured with
Create another component using the From existing component option and selecting the previous component as the source.
URL parameter repo
should now include the secret PAT configured in the original component's settings. The URL with the token is potentially saved as plaintext in browser history and server logs.
Select a translation file to import.
Observe again the same repo
parameter in the URL.