GHSA-3pmh-24wp-xpf4

Опубликовано: 15 дек. 2025

Источник: github

Github: Прошло ревью

CVSS3: 4.3

Описание

Weblate has Systematic User and Project Enumeration via Broken Authorization in REST API (IDOR)

Impact

It was possible to retrieve user notification settings or list all users via API.

Patches

https://github.com/WeblateOrg/weblate/pull/17256

References

Thanks to Hector Ruiz Ruiz & NaxusAI for responsibly disclosing this vulnerability to Weblate.

Ссылки

Пакеты

Наименование

Weblate

pip

Затронутые версииВерсия исправления

< 5.15

5.15

EPSS

Процентиль: 1%

0.00011

Низкий

4.3 Medium

CVSS3

CVE ID

CVE-2025-67715

Дефекты

CWE-284

CWE-285

Связанные уязвимости

CVE-2025-67715

CVSS3: 4.3

nvd

около 2 месяцев назад

Weblate is a web based localization tool. In versions prior to 5.15, it was possible to retrieve user notification settings or list all users via API. Version 5.15 fixes the issue.

CVE-2025-67715

CVSS3: 4.3

debian

около 2 месяцев назад

Weblate is a web based localization tool. In versions prior to 5.15, i ...

EPSS

Процентиль: 1%

0.00011

Низкий

4.3 Medium

CVSS3

CVE ID

CVE-2025-67715

Дефекты

CWE-284

CWE-285