4.4 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
HIGH
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N
7 High
AI Score
Confidence
Low
0.0004 Low
EPSS
Percentile
9.2%
Weblate didn’t correctly validate filenames when restoring project backup. It may be possible to gain unauthorized access to
files on the server using a crafted ZIP file.
This issue has been addressed in Weblate 5.6.2 via https://github.com/WeblateOrg/weblate/commit/b6a7eace155fa0feaf01b4ac36165a9c5e63bfdd.
Do not allow project creation to untrusted users.
Thanks to Bryan Cahill for bringing this issue to our attention.
If you have any questions or comments about this advisory:
4.4 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
HIGH
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N
7 High
AI Score
Confidence
Low
0.0004 Low
EPSS
Percentile
9.2%