Weblate is a web based localization tool. Prior to version 5.16.1, the REST API's `AddonViewSet` (`weblate/api/views.py`, line 2831) uses `queryset = Addon.objects.all()` without overriding `get_queryset()` to scope results by user permissions. This allows any authenticated user (or anonymous users if `REQUIRE_LOGIN` is not set) to list and retrieve ALL addons across all projects and components via `GET /api/addons/` and `GET /api/addons/{id}/`.
Version 5.16.1 fixes the issue.
Attack Parameters
Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Privileges Required
Low
Basic privileges needed
User Interaction
None
No user interaction needed
Impact Assessment
Confidentiality
Low
Partial data leak
Integrity
None
No data modification
Availability
None
No disruption
CVSS Vector v3.1
Weakness Type (CWE)
Vulnerable Products 1
| Configuration | From (including) | Up to (excluding) |
|---|---|---|
|
Weblate Weblate
cpe:2.3:a:weblate:weblate:*:*:*:*:*:*:*:*
|
— |
5.16.1
|
References 6
https://github.com/WeblateOrg/weblate/commit/3f58f9a4152bc0cbdd6eff5954f9c7bc4d…
security-advisories@github.com
https://github.com/WeblateOrg/weblate/commit/7802c9b121eb407c48d4adddd4f2458fb3…
security-advisories@github.com
https://github.com/WeblateOrg/weblate/pull/18107
security-advisories@github.com
https://github.com/WeblateOrg/weblate/pull/18164
security-advisories@github.com
https://github.com/WeblateOrg/weblate/releases/tag/weblate-5.16.1
security-advisories@github.com
https://github.com/WeblateOrg/weblate/security/advisories/GHSA-wppc-7cq7-cgfv
security-advisories@github.com