What is CVE-2024-39303?

CVE-2024-39303 is a medium-severity vulnerability in Weblateorg Weblate, classified under External Control of File Name or Path. CVSS score: 4.4/10. Published 2024-07-01.

How severe is CVE-2024-39303?

Medium severity. CVSS v3 base score is 4.4 out of 10.

Vulnerability in Weblateorg Weblate

CVE-2024-39303

Weblate is a web based localization tool. Prior to version 5.6.2, Weblate didn't correctly validate filenames when restoring project backup. It may be possible to gain unauthorized access to files on the server using a crafted ZIP file. Th…

EPSS: 0.004 (63.3th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 4.4 (Medium). Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N.

Affected products

Weblateorg Weblate — versions >= 4.14, < 5.6.2

Weakness classification (CWE)

CWE-73 — External Control of File Name or Path

References

https://github.com/WeblateOrg/weblate/security/advisories/GHSA-jfgp-674x-6q4p (x_refsource_CONFIRM)
https://github.com/WeblateOrg/weblate/commit/b6a7eace155fa0feaf01b4ac36165a9c5e63bfdd (x_refsource_MISC)

Frequently asked questions

What is CVE-2024-39303?: CVE-2024-39303 is a medium-severity vulnerability in Weblateorg Weblate, classified under External Control of File Name or Path. CVSS score: 4.4/10. Published 2024-07-01.
How severe is CVE-2024-39303?: Medium severity. CVSS v3 base score is 4.4 out of 10.