5.4

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-24710

GHSA ID

GHSA-6jp6-9rf9-gc66

EPSS Score

0.52405%

CWE

CWE-79

Published

2/25/2022

Updated

11/19/2024

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-24710

CVE-2022-24710: Cross-site Scripting in Weblate

Impact

Due to improper neutralization, it was possible to perform cross-site scripting via crafted user and language names.

Patches

The issues were fixed in the 4.11 release. The following commits are addressing it:

f6753a1a1c63fade6ad418fbda827c6750ab0bda
9e19a8414337692cc90da2a91c9af5420f2952f1
22d577b1f1e88665a88b4569380148030e0f8389

Workarounds

You can look for crafted user and language names to see if you were affected.

References

https://hackerone.com/reports/1486674
https://hackerone.com/reports/1486718
https://hackerone.com/reports/1485226

For more information

If you have any questions or comments about this advisory:

Open a topic in discussions
Email us at care@weblate.org

(GitHub Advisory)

5.4

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-24710

GHSA ID

GHSA-6jp6-9rf9-gc66

EPSS Score

0.52405%

CWE

CWE-79

Published

2/25/2022

Updated

11/19/2024

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
Weblate	pip	< 4.11	4.11

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from missing output encoding in 4 key areas: 1) Report generation functions (get_credits/get_counts) failed to escape user-controlled data. 2) Translation form rendering didn't escape language names. 3) Username autocomplete directly injected unescaped strings. The patches explicitly add HTML escaping (via Django's escape() and DOM text node creation) in these specific locations, confirming these were the vulnerable entry points. The CWE-79 classification and commit messages directly correlate to XSS via user/language name inputs in these components.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t *u* to improp*r n*utr*liz*tion, it w*s possi*l* to p*r*orm *ross-sit* s*riptin* vi* *r**t** us*r *n* l*n*u*** n*m*s. ### P*t***s T** issu*s w*r* *ix** in t** *.** r*l**s*. T** *ollowin* *ommits *r* ***r*ssin* it: * *********************

Reasoning

T** vuln*r**ility st*ms *rom missin* output *n*o*in* in * k*y *r**s: *) R*port **n*r*tion *un*tions (**t_*r**its/**t_*ounts) **il** to *s**p* us*r-*ontroll** **t*. *) Tr*nsl*tion *orm r*n**rin* *i*n't *s**p* l*n*u*** n*m*s. *) Us*rn*m* *uto*ompl*t* *

5.4

Basic Information

Concerned about an active attack path?

CVE-2022-24710: Cross-site Scripting in Weblate

Impact

Patches

Workarounds

References

For more information

5.4

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI