Описание
Cross-site Scripting in Weblate
Impact
Due to improper neutralization, it was possible to perform cross-site scripting via crafted user and language names.
Patches
The issues were fixed in the 4.11 release. The following commits are addressing it:
- f6753a1a1c63fade6ad418fbda827c6750ab0bda
- 9e19a8414337692cc90da2a91c9af5420f2952f1
- 22d577b1f1e88665a88b4569380148030e0f8389
Workarounds
You can look for crafted user and language names to see if you were affected.
References
- https://hackerone.com/reports/1486674
- https://hackerone.com/reports/1486718
- https://hackerone.com/reports/1485226
For more information
If you have any questions or comments about this advisory:
- Open a topic in discussions
- Email us at care@weblate.org
Ссылки
- https://github.com/WeblateOrg/weblate/security/advisories/GHSA-6jp6-9rf9-gc66
- https://nvd.nist.gov/vuln/detail/CVE-2022-24710
- https://github.com/WeblateOrg/weblate/commit/22d577b1f1e88665a88b4569380148030e0f8389
- https://github.com/WeblateOrg/weblate/commit/9e19a8414337692cc90da2a91c9af5420f2952f1
- https://github.com/WeblateOrg/weblate/commit/f6753a1a1c63fade6ad418fbda827c6750ab0bda
- https://github.com/WeblateOrg/weblate
- https://github.com/pypa/advisory-database/tree/main/vulns/weblate/PYSEC-2022-35.yaml
Пакеты
Weblate
< 4.11
4.11
Связанные уязвимости
Weblate is a copyleft software web-based continuous localization system. Versions prior to 4.11 do not properly neutralize user input used in user name and language fields. Due to this improper neutralization it is possible to perform cross-site scripting via these fields. The issues were fixed in the 4.11 release. Users unable to upgrade are advised to add their own neutralize logic.
Weblate is a copyleft software web-based continuous localization syste ...