-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| weblate | pip | < 5.12 | 5.12 |
Miggo AIRoot Cause AnalysisThe vulnerability involves the exposure of users' full IP addresses in audit log notification emails. The provided commit 020b2905e4d001cff2452574d10e6cf3621b5f62 addresses this issue by anonymizing the IP address before it's included in the email.
The core of the vulnerability lies in how the IP address was handled when generating these notification emails.
weblate/accounts/models.py file shows that the AuditLog model stored the user's IP address in the address attribute. The patch introduces a new property shortened_address to this model, which computes an anonymized version of the IP address.weblate/accounts/tasks.py, within the notify_auditlog function. This function is responsible for preparing and sending the audit log notification email.
AuditLog instance (named audit) and directly use audit.address (the full IP address) when constructing the context dictionary for the email template: "address": audit.address,."address": audit.shortened_address,.Therefore, the weblate.accounts.tasks.notify_auditlog function, in its pre-patch version, is the vulnerable function. It directly accessed the full IP address and passed it into the email generation process, leading to the information disclosure. During exploitation (which in this case is simply a user action triggering an audit log notification), this function would be on the call stack as it processes the audit event and prepares the email content containing the sensitive IP address.
Ongoing coverage of React2Shell