Description
Weblate is a web based localization tool. In versions prior to 5.15, it was possible to accept an invitation opened by a different user. Version 5.15. contains a patch. As a workaround, avoid leaving one's Weblate sessions with an invitation opened unattended.
CVSS breakdown
CVSS 4.0
Attack Vector
Local
Attack Complexity
High
Attack Requirements
Present
Privileges Required
Low
User Interaction
Passive
Confidentiality (Vulnerable System)
Low
Integrity (Vulnerable System)
Low
Availability (Vulnerable System)
None
Confidentiality (Subsequent System)
None
Integrity (Subsequent System)
None
Availability (Subsequent System)
None
Affected products
- WeblateOrg / weblate< 5.15 – < 5.15
References
- VENDOR_ADVISORYhttps://github.com/WeblateOrg/weblate/security/advisories/GHSA-m6hq-f4w9-qrjj
- PATCHhttps://github.com/WeblateOrg/weblate/pull/16913
- PATCHhttps://github.com/WeblateOrg/weblate/commit/02e904675f0608a6bbfbf9466eeccd9d022591e9
- PATCHhttps://github.com/WeblateOrg/weblate/releases/tag/weblate-5.15