CVE-2022-24710 — Cross-site Scripting in Weblate

CWE-79 — Cross-site Scripting5 documents4 sources

Severity

5.4MEDIUMNVD

EPSS

0.3%

top 45.75%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Weblateorg Weblate Weblate

Timeline

PublishedFeb 25

Latest updateJul 21

Description

Weblate is a copyleft software web-based continuous localization system. Versions prior to 4.11 do not properly neutralize user input used in user name and language fields. Due to this improper neutralization it is possible to perform cross-site scripting via these fields. The issues were fixed in the 4.11 release. Users unable to upgrade are advised to add their own neutralize logic.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages3 packages

▶NVDweblate/weblate< 4.11

▶PyPIweblate/weblate< 4.11+3

▶CVEListV5weblateorg/weblate< 4.11

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

Cross-site Scripting in Weblate↗2022-02-25

▶

OSV

CVE-2022-24710: Weblate is a copyleft software web-based continuous localization system↗2022-02-25

▶

OSV

Cross-site Scripting in Weblate↗2022-02-25

▶

📄Research Papers

arXiv

Exploring Security Commits in Python↗2023-07-21

▶