CVE-2024-32466
2.7
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
Summary
Tolgee is an open-source localization platform. For the /v2/projects/translations and /v2/projects/{projectId}/translations endpoints, translation data was returned even when API key was missing translation.view scope. However, it was impossible to fetch the data when user was missing this scope. So this is only relevant for API keys generated by users permitted to translation.view. This vulnerability is fixed in v3.57.2
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| tolgee | tolgee-platform | < 3.57.2 | affected |
Weaknesses
- CWE-862: CWE-862: Missing Authorization
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
CVE Program Container
Additional References
- https://github.com/tolgee/tolgee-platform/security/advisories/GHSA-r95p-fqqv-fppc
- https://github.com/tolgee/tolgee-platform/commit/f71213925d6f80019f841db0ead9baa7488c1821
References
- https://github.com/tolgee/tolgee-platform/security/advisories/GHSA-r95p-fqqv-fppc
- https://github.com/tolgee/tolgee-platform/commit/f71213925d6f80019f841db0ead9baa7488c1821
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.