Advisories for Pypi/Weblate package

Weblate didn't correctly validate filenames when restoring project backup. It may be possible to gain unauthorized access to files on the server using a crafted ZIP file.

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2022-23915. Reason: This candidate is a reservation duplicate of CVE-2022-23915. Notes: All CVE users should reference CVE-2022-23915 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.

The package weblate before 4.11.1 is vulnerable to Remote Code Execution (RCE) via argument injection when using git or mercurial repositories. Authenticated users can change the behavior of the application in an unintended way, leading to command execution.

Weblate is a copyleft software web-based continuous localization system. Versions prior to 4.11 do not properly neutralize user input used in user name and language fields. Due to this improper neutralization it is possible to perform cross-site scripting via these fields. The issues were fixed in the 4.11 release. Users unable to upgrade are advised to add their own neutralize logic.

Weblate contains an information disclosure issue in its password reset form. Entering an arbitrary email address in the password reset form will cause Weblate to respond with "User with this email address was not found.", making it possible to determine which user accounts exist on the Weblate instance.