Description
The package weblate from 0 and before 4.11.1 are vulnerable to Remote Code Execution (RCE) via argument injection when using git or mercurial repositories. Authenticated users, can change the behavior of the application in an unintended way, leading to command execution.
References
https://github.com/WeblateOrg/weblate/pull/7337
PatchThird Party Advisory
https://github.com/WeblateOrg/weblate/pull/7338
PatchThird Party Advisory
https://github.com/WeblateOrg/weblate/releases/tag/weblate-4.11.1
PatchRelease NotesThird Party Advisory
https://snyk.io/vuln/SNYK-PYTHON-WEBLATE-2414088
PatchThird Party Advisory
CVSS impact metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 · High
CVSS V3.1
CVSS V3.0
CVSS V2.0
Information
Source identifier
Vulnerability status
Analyzed
Published
2022-03-04T20:15:07.757
3 years agoLast modified
2022-03-12T01:58:54.757
3 years ago