Weblate vulnerable to improper sanitization of project backups
Description
Published by the National Vulnerability Database
Jul 1, 2024
Published to the GitHub Advisory Database
Jul 1, 2024
Reviewed
Jul 1, 2024
Last updated
Nov 18, 2024
Impact
Weblate didn't correctly validate filenames when restoring project backup. It may be possible to gain unauthorized access to
files on the server using a crafted ZIP file.
Patches
This issue has been addressed in Weblate 5.6.2 via WeblateOrg/weblate@b6a7eac.
Workarounds
Do not allow project creation to untrusted users.
References
Thanks to Bryan Cahill for bringing this issue to our attention.
For more information
If you have any questions or comments about this advisory:
References