CVE-2024-39303
4.4
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N
Summary
Weblate is a web based localization tool. Prior to version 5.6.2, Weblate didn't correctly validate filenames when restoring project backup. It may be possible to gain unauthorized access to files on the server using a crafted ZIP file. This issue has been addressed in Weblate 5.6.2. As a workaround, do not allow untrusted users to create projects.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| WeblateOrg | weblate | >= 4.14, < 5.6.2 | affected |
Weaknesses
- CWE-73: CWE-73: External Control of File Name or Path
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
CVE Program Container
Additional References
- https://github.com/WeblateOrg/weblate/security/advisories/GHSA-jfgp-674x-6q4p
- https://github.com/WeblateOrg/weblate/commit/b6a7eace155fa0feaf01b4ac36165a9c5e63bfdd
References
- https://github.com/WeblateOrg/weblate/security/advisories/GHSA-jfgp-674x-6q4p
- https://github.com/WeblateOrg/weblate/commit/b6a7eace155fa0feaf01b4ac36165a9c5e63bfdd
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.