Unauthorized Access to Files on Server via Crafted ZIP File in Weblate Prior to Version 5.6.2
CVE-2024-39303

5.4MEDIUM

Key Information:

Vendor: Weblateorg
Status: Weblate
Vendor: CVE Published:; 1 July 2024

What is CVE-2024-39303?

Weblate is a web based localization tool. Prior to version 5.6.2, Weblate didn't correctly validate filenames when restoring project backup. It may be possible to gain unauthorized access to files on the server using a crafted ZIP file. This issue has been addressed in Weblate 5.6.2. As a workaround, do not allow untrusted users to create projects.

Affected Version(s)

weblate >= 4.14, < 5.6.2

References

https://github.com/WeblateOrg/weblate/security/advisories...

x_refsource_CONFIRM

https://github.com/WeblateOrg/weblate/commit/b6a7eace155f...

x_refsource_MISC

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 1, 2024
Vulnerability Reserved
Jun 21, 2024

JSON

Weblateorg

What is CVE-2024-39303?

Affected Version(s)

References

CVSS V3.1

Timeline