PYSEC-2022-35
See a problem?- Import Source
- https://github.com/pypa/advisory-database/blob/main/vulns/weblate/PYSEC-2022-35.yaml
- JSON Data
- https://api.osv.dev/v1/vulns/PYSEC-2022-35
- Aliases
- Published
- 2022-02-25T21:15:00Z
- Modified
- 2023-12-06T01:02:04.640923Z
- Summary
- [none]
- Details
-
Weblate is a copyleft software web-based continuous localization system. Versions prior to 4.11 do not properly neutralize user input used in user name and language fields. Due to this improper neutralization it is possible to perform cross-site scripting via these fields. The issues were fixed in the 4.11 release. Users unable to upgrade are advised to add their own neutralize logic.
- References
-
- https://github.com/WeblateOrg/weblate/security/advisories/GHSA-6jp6-9rf9-gc66
- https://github.com/WeblateOrg/weblate/commit/f6753a1a1c63fade6ad418fbda827c6750ab0bda
- https://github.com/WeblateOrg/weblate/commit/9e19a8414337692cc90da2a91c9af5420f2952f1
- https://github.com/WeblateOrg/weblate/commit/22d577b1f1e88665a88b4569380148030e0f8389
Affected packages
PyPI / weblate
Package
- Name
- weblate
- View open source insights on deps.dev
- Purl
- pkg:pypi/weblate
Affected ranges
- Type
- GIT
- Repo
- https://github.com/WeblateOrg/weblate
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixedFixedFixed
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed4.11
Affected versions
1.*
1.9
2.*
2.0
2.1
2.2
2.3
2.4
2.5
2.6
2.7
2.8
2.9
2.10
2.10.1
2.11
2.12
2.13
2.13.1
2.14
2.14.1
2.15
2.16
2.17
2.17.1
2.18
2.19
2.19.1
2.20
3.*
3.0
3.0.1
3.1
3.1.1
3.2
3.2.1
3.2.2
3.3
3.4
3.5
3.5.1
3.6
3.6.1
3.7
3.7.1
3.8
3.9
3.9.1
3.10
3.10.1
3.10.2
3.10.3
3.11
3.11.1
3.11.2
3.11.3
4.*
4.0
4.0.1
4.0.2
4.0.3
4.0.4
4.1
4.1.1
4.2
4.2.1
4.2.2
4.3
4.3.1
4.3.2
4.4
4.4.1
4.4.2
4.5
4.5.1
4.5.2
4.5.3
4.6
4.6.1
4.6.2
4.7
4.7.1
4.7.2
4.8
4.8.1
4.9
4.9.1
4.10
4.10.1