4.4

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-39303

CVE-2024-39303: Weblate vulnerable to improper sanitization of project backups

Impact

Weblate didn't correctly validate filenames when restoring project backup. It may be possible to gain unauthorized access to files on the server using a crafted ZIP file.

Patches

This issue has been addressed in Weblate 5.6.2 via https://github.com/WeblateOrg/weblate/commit/b6a7eace155fa0feaf01b4ac36165a9c5e63bfdd.

Workarounds

Do not allow project creation to untrusted users.

References

Thanks to Bryan Cahill for bringing this issue to our attention.

For more information

If you have any questions or comments about this advisory:

Open a topic in discussions
Email us at care@weblate.org

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2024-39303

CVE-2024-39303:

4.4

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
Weblate	pip	>= 4.14, < 5.6.2	5.6.2

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The commit diff shows the vulnerability was in the restore() method's handling of ZIP file entries. Before the patch, it constructed targetpath by concatenating user-controlled 'name' values from the ZIP with project.full_path, without validating path normalization. The patch added a check using os.path.normpath() to prevent directory traversal. This matches CWE-73 (path injection) and the advisory's description of improper filename validation during backup restoration.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

4.4

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2024-39303: Weblate vulnerable to improper sanitization of project backups

Impact

Patches

Workarounds

References

For more information

CVE-2024-39303:

4.4

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

CVE-2024-39303: Weblate vulnerable to improper sanitization of project backups

Impact

Patches

Workarounds

References

For more information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Basic Information

Basic Information

4.4

4.4

Technical Details

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI