Description
Weblate is a web based localization tool. Prior to version 5.12, the audit log notifications included the full IP address of the acting user. This could be obtained by third-party servers such as SMTP relays, or spam filters. This issue has been patched in version 5.12.
CVSS breakdown
CVSS 4.0
Attack Vector
Network
Attack Complexity
High
Attack Requirements
None
Privileges Required
High
User Interaction
None
Confidentiality (Vulnerable System)
None
Integrity (Vulnerable System)
None
Availability (Vulnerable System)
None
Confidentiality (Subsequent System)
Low
Integrity (Subsequent System)
None
Availability (Subsequent System)
None
Affected products
- WeblateOrg / weblate< 5.12 – < 5.12
References
- VENDOR_ADVISORYhttps://github.com/WeblateOrg/weblate/security/advisories/GHSA-4qqf-9m5c-w2c5
- PATCHhttps://github.com/WeblateOrg/weblate/pull/15102
- PATCHhttps://github.com/WeblateOrg/weblate/commit/020b2905e4d001cff2452574d10e6cf3621b5f62
- PATCHhttps://github.com/WeblateOrg/weblate/releases/tag/weblate-5.12.1