Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS02anA2LTlyZjktZ2M2Ns0u1Q

Cross-site Scripting in Weblate

Impact

Due to improper neutralization, it was possible to perform cross-site scripting via crafted user and language names.

Patches

The issues were fixed in the 4.11 release. The following commits are addressing it:

f6753a1a1c63fade6ad418fbda827c6750ab0bda
9e19a8414337692cc90da2a91c9af5420f2952f1
22d577b1f1e88665a88b4569380148030e0f8389

Workarounds

You can look for crafted user and language names to see if you were affected.

References

For more information

If you have any questions or comments about this advisory:

Open a topic in discussions
Email us at [email protected]

Permalink: https://github.com/advisories/GHSA-6jp6-9rf9-gc66
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS02anA2LTlyZjktZ2M2Ns0u1Q
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 2 years ago
Updated: about 1 year ago

CVSS Score: 5.4
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Identifiers: GHSA-6jp6-9rf9-gc66, CVE-2022-24710
References:

Repository: https://github.com/WeblateOrg/weblate
Blast Radius: 1.6

Affected Packages

pypi:Weblate

Dependent packages: 0
Dependent repositories: 2
Downloads: 3,368 last month
Affected Version Ranges: < 4.11
Fixed in: 4.11
All affected versions: 2.10.1, 2.13.1, 2.14.1, 2.17.1, 2.19.1, 3.0.1, 3.1.1, 3.2.1, 3.2.2, 3.5.1, 3.6.1, 3.7.1, 3.9.1, 3.10.1, 3.10.2, 3.10.3, 3.11.1, 3.11.2, 3.11.3, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.1.1, 4.2.1, 4.2.2, 4.3.1, 4.3.2, 4.4.1, 4.4.2, 4.5.1, 4.5.2, 4.5.3, 4.6.1, 4.6.2, 4.7.1, 4.7.2, 4.8.1, 4.9.1, 4.10.1
All unaffected versions: 4.11.1, 4.11.2, 4.12.1, 4.12.2, 4.13.1, 4.14.1, 4.14.2, 4.15.1, 4.15.2, 4.16.1, 4.16.2, 4.16.3, 4.16.4, 4.18.1, 4.18.2, 5.0.1, 5.0.2, 5.1.1, 5.2.1, 5.3.1, 5.4.1, 5.4.2, 5.4.3