THREATINT

We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Fathom (Privacy friendly web analytics)
Zendesk (Helpdesk and Chat)

Ok

Home | EN
Support
CVE
PUBLISHED

CVE-2024-39303

Weblate vulnerabler to improper sanitization of project backups

AssignerGitHub_M
Reserved2024-06-21
Published2024-07-01
Updated2024-07-01

Description

Weblate is a web based localization tool. Prior to version 5.6.2, Weblate didn't correctly validate filenames when restoring project backup. It may be possible to gain unauthorized access to files on the server using a crafted ZIP file. This issue has been addressed in Weblate 5.6.2. As a workaround, do not allow untrusted users to create projects.



MEDIUM: 4.4CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N

Problem types

CWE-73: External Control of File Name or Path

Product status

>= 4.14, < 5.6.2
affected

References

https://github.com/WeblateOrg/weblate/security/advisories/GHSA-jfgp-674x-6q4p

https://github.com/WeblateOrg/weblate/commit/b6a7eace155fa0feaf01b4ac36165a9c5e63bfdd

cve.org CVE-2024-39303

nvd.nist.gov CVE-2024-39303

Download JSON

Share this page
https://cve.threatint.com/CVE/CVE-2024-39303
Find us on
Data Privacy
Terms of Use
Logo Silicon Valley Europe
Logo BSI Allianz für Cyber-Sicherheit