https://bugzilla.suse.com/show_bug.cgi?id=1227273 Bug ID: 1227273 Summary: VUL-0: CVE-2024-39303: Weblate is a web based localization tool. Prior to version 5.6.2, Weblate didn't correctly validate filenames when restoring project backup. It may be possible to gain unauthorized access to files on the server using a crafted ... Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.6 Hardware: Other URL: https://smash.suse.de/issue/412574/ OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: mcepl@suse.com Reporter: smash_bz@suse.de QA Contact: security-team@suse.de CC: stoyan.manolov@suse.com Target Milestone: --- Found By: Security Response Team Blocker: --- Weblate is a web based localization tool. Prior to version 5.6.2, Weblate didn't correctly validate filenames when restoring project backup. It may be possible to gain unauthorized access to files on the server using a crafted ZIP file. This issue has been addressed in Weblate 5.6.2. As a workaround, do not allow untrusted users to create projects. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-39303 https://www.cve.org/CVERecord?id=CVE-2024-39303 https://github.com/WeblateOrg/weblate/commit/b6a7eace155fa0feaf01b4ac36165a9... https://github.com/WeblateOrg/weblate/security/advisories/GHSA-jfgp-674x-6q4... -- You are receiving this mail because: You are on the CC list for the bug.