MEDIUM 4.4

GHSA-jfgp-674x-6q4p

Weblate vulnerable to improper sanitization of project backups

Details

### Impact Weblate didn't correctly validate filenames when restoring project backup. It may be possible to gain unauthorized access to files on the server using a crafted ZIP file.

### Patches This issue has been addressed in Weblate 5.6.2 via https://github.com/WeblateOrg/weblate/commit/b6a7eace155fa0feaf01b4ac36165a9c5e63bfdd.

### Workarounds Do not allow project creation to untrusted users.

### References Thanks to Bryan Cahill for bringing this issue to our attention.

### For more information If you have any questions or comments about this advisory: * Open a topic in [discussions](https://github.com/WeblateOrg/weblate/discussions) * Email us at [care@weblate.org](mailto:care@weblate.org)

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / weblate

Introduced in: 4.14 Fixed in: 5.6.2

Fix pip install --upgrade 'weblate>=5.6.2'

References

https://github.com/WeblateOrg/weblate/security/advisories/GHSA-jfgp-674x-6q4p [WEB]
https://nvd.nist.gov/vuln/detail/CVE-2024-39303 [ADVISORY]
https://github.com/WeblateOrg/weblate/commit/b6a7eace155fa0feaf01b4ac36165a9c5e63bfdd [WEB]
https://github.com/WeblateOrg/weblate [PACKAGE]