CVE Vulnerability

CVE-2022-24710

Weblate is a copyleft software web-based continuous localization system. Versions prior to 4.11 do not properly neutralize user input used in user name and language fields. Due to this improper neutralization it is possible to perform cross-site scripting via these fields. The issues were fixed in the 4.11 release. Users unable to upgrade are advised to add their own neutralize logic.

3.5 /10

CVSS v2.0 :

V3 Legend

Vector :

Exploitability : 6.8 / Impact : 2.9

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

Scope

5.4 /10

CVSS v3.0 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.3 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References
Link Resource
https://github.com/WeblateOrg/weblate/security/advisories/GHSA-6jp6-9rf9-gc66 Patch Third Party Advisory
https://github.com/WeblateOrg/weblate/commit/f6753a1a1c63fade6ad418fbda827c6750ab0bda Patch Third Party Advisory
https://github.com/WeblateOrg/weblate/commit/9e19a8414337692cc90da2a91c9af5420f2952f1 Patch Third Party Advisory
https://github.com/WeblateOrg/weblate/commit/22d577b1f1e88665a88b4569380148030e0f8389 Patch Third Party Advisory
Configurations

Configuration 1

cpe:2.3:a:weblate:weblate:*:*:*:*:*:*:*:*
Information

Published : 2022-02-25 09:15

Updated : 2022-03-08 03:13

NVD link : CVE-2022-24710

Mitre link : CVE-2022-24710

Products Affected
No products.
CWE
CWE-79