Weblate


132 total issues disclosed

$0 total paid publicly


Most disclosed (37 disclosures) — None supplied

View disclosed reports



Disclosed Reports


Report Title Vulnerability Type Disclosed By Severity Disclosed on
Reset password cookie leads to account takeover Reliance on Cookies without Validation and Integrity Checking in a Security Decision seqrity Medium 2020-10-12
Send Empty CSRF leads to log out user on [https://hosted.weblate.org/accounts/profile] Cross-Site Request Forgery (CSRF) seqrity Low 2020-10-12
Open Github Repo Leaking WEBLATE SECRET KEY Cleartext Storage of Sensitive Information nafisaqil None 2020-07-26
Improper validation of unicode characters#2 None supplied code_monkey None 2020-07-26
Secret_key in GitHub Information Disclosure fr0gz0x None 2020-07-18
2nd issue>>> flood of email no rate limit on delete account confirmation email >> Violation of Secure Design Principles crazy_wonk Low 2018-09-28
flood of comment no rate limit on commnets >> by using different user agent Violation of Secure Design Principles crazy_wonk Low 2018-09-28
no notification send to victim if attacker hacks/accesses his victims WebLate account. Business Logic Errors c0narp Low 2018-09-26
Browser Self XSS Protection not implemented Information Disclosure hallaleen No rating 2018-09-26
Broken Authentication – Session Token bug None supplied crazy_wonk None 2018-09-26
Open port leads to information disclosure Information Disclosure str33 Low 2018-09-10
Tab nabbing via window.opener None supplied logan47 No rating 2018-09-01
Audit log validation Improper Neutralization of HTTP Headers for Scripting Syntax mur90210 None 2018-08-28
Insecure Account Removal #2 Violation of Secure Design Principles japz Low 2018-08-28
Account Restore / Reactivating an old email via old reset link None supplied footstep No rating 2018-08-27
Running 2 accounts with a single email #3 Business Logic Errors footstep No rating 2018-08-27
DNSSEC Zone Walk using NSEC Records Information Disclosure pk21 None 2018-01-30
Improper validation of unicode characters None supplied crazy_wonk None 2017-11-17
Running 2 accounts with a single email [Part 2] Business Logic Errors footstep No rating 2017-10-07
Reset password more than once with a reset link #2 Business Logic Errors footstep No rating 2017-10-07
Application allowing old password to be set as new password | hosted.weblate.org None supplied punkit No rating 2017-10-05
Add another email address without verification Improper Access Control - Generic tungpun No rating 2017-10-05
DKIM records not present, Email Hijacking is possible..... Improper Authentication - Generic kaamakya None 2017-09-16
Missing Restriction On String Size Memory Corruption - Generic alyanwarr None 2017-09-16
No rate limit or captcha to identify humans Violation of Secure Design Principles alyanwarr None 2017-09-15
Improper Cookie expiration | Cookies Expiration Set to Future None supplied punkit Low 2017-08-31
[debian.weblate.org]-Missing SPF Record Violation of Secure Design Principles hackerhero Low 2017-08-24
Reset password more than once with a reset link Business Logic Errors footstep No rating 2017-08-21
Full Name Overwrite on Third party login None supplied footstep No rating 2017-08-21
No Rate Limitation on Regenerate Api Key None supplied footstep No rating 2017-08-21
Persistence of Third Party Association. Business Logic Errors footstep No rating 2017-08-21
Previous password could set as new password None supplied footstep No rating 2017-08-21
Password token validation in Weblate Bypass #2 None supplied footstep No rating 2017-08-21
Password token validation in Weblate Bypass Improper Authentication - Generic footstep None 2017-08-21
Improper validation of unicode characters #3 None supplied footstep No rating 2017-08-21
Improper validation of unicode characters still not fixed #2 None supplied footstep No rating 2017-08-21
Improper validation of unicode characters still not fixed None supplied footstep No rating 2017-08-21
Password Restriction Violation of Secure Design Principles chols Low 2017-08-19
Improper validation of unicode characters Violation of Secure Design Principles asaxena2190 No rating 2017-08-19
Weak password policy None supplied platinum1933 Low 2017-08-18
Csrf in watch-unwatch projects Cross-Site Request Forgery (CSRF) ashish_r_padelkar Low 2017-08-17
Error Message When Changing Username Business Logic Errors blake12356 None 2017-08-17
The username of an account can be .. Business Logic Errors blake12356 None 2017-07-27
No filteration of null characters in name field Violation of Secure Design Principles blake12356 None 2017-07-27
Bypassing captcha in registration on Hosted site Denial of Service pavanw3b Medium 2017-07-03
Invalidate session after password reset - hosted website None supplied pavanw3b Low 2017-07-03
Rate Limit Issue on hosted.weblate.org Brute Force imran_hadid Low 2017-07-02
Weblate |Security Misconfiguration| Method Enumeration Possible on domain None supplied punkit None 2017-07-02
Captcha bypass at registration None supplied proabiral Low 2017-06-28
Adding Email lacks Password validation None supplied proabiral Low 2017-06-28
Password token validation in https://demo.weblate.org/ Improper Authentication - Generic brdoors3 No rating 2017-06-27
Improper validation of unicode characters None supplied rammarj No rating 2017-06-20
Existing sessions valid after removing third party auth Improper Authentication - Generic brdoors3 Low 2017-06-16
Directory Listing Cleartext Storage of Sensitive Information haxor_kiddie None 2017-06-16
Email spoofing at weblate.org None supplied pyrk2142 No rating 2017-06-16
Incorrect HTTPS Certificate Improper Certificate Validation numbshiva None 2017-06-16
ClickJacking on Debug UI Redressing (Clickjacking) bf7e43565d8cf54de3bc5a7 No rating 2017-06-16
7BO: Binary Option Robot URL should be HTTPS None supplied bf7e43565d8cf54de3bc5a7 No rating 2017-06-16
Facebook share URL should be HTTPS None supplied bf7e43565d8cf54de3bc5a7 No rating 2017-06-16
Takeover of an account via reset password options after removing the account Improper Authentication - Generic imran_hadid Low 2017-06-13
Open redirect while disconnecting Email Open Redirect atruba No rating 2017-06-08
Open redirect while disconnecting authenticated account Open Redirect gsecure Medium 2017-06-08
Clickjacking docs.weblate.org None supplied lolninja Low 2017-06-05
Weblate- Banner Grabbing-Ngnix Server version None supplied punkit No rating 2017-06-05
Old password can be new password None supplied proabiral Low 2017-06-03
Missing restriction on string size None supplied proabiral Low 2017-06-03
Login CSRF : Login Authentication Flaw Cross-Site Request Forgery (CSRF) japz Medium 2017-06-02
No Rate Limiting at /contact Memory Corruption - Generic chols Low 2017-06-02
CSRF - Changing the full name / adding a secondary email identity of an account via a GET request Cross-Site Request Forgery (CSRF) inhibitor181 Medium 2017-06-02
Captcha Bypass at Email Reset can lead to Spamming users. Violation of Secure Design Principles sahilmk No rating 2017-06-02
Information Disclosure on demo.weblate.org Information Disclosure sp1d3rs Low 2017-06-02
CSRF bypass ( Delate Source Translation From dictionaries ) in demo.weblate.org Cross-Site Request Forgery (CSRF) sup3r-b0y Medium 2017-06-02
Uploaded XLF files result in External Entity Execution XML External Entities (XXE) 4cad High 2017-06-02
API Does Not Apply Access Controls to Translations Improper Access Control - Generic 4cad Low 2017-06-02
Design Flaw in session management of password reset Improper Access Control - Generic asaxena2190 No rating 2017-06-02
No notificatoin sent on email after account deletion. None supplied mansoor_gilal No rating 2017-06-02
Self-XSS can be achieved in the editor link using filter bypass Cross-site Scripting (XSS) - Generic sp1d3rs None 2017-06-02
CSP "script-src" includes "unsafe-inline" in weblate.org and demo.weblate.org Violation of Secure Design Principles mrr3boot None 2017-05-23
Missing filteration of meta characters in full name field on registration page https://demo.weblate.org/accounts/register Violation of Secure Design Principles smit None 2017-05-22
Option method enabled Violation of Secure Design Principles hurthearts None 2017-05-21
Open SMTP port can let anyone send email from mail.chihar.com Cryptographic Issues - Generic str33 No rating 2017-05-20
You can simply just use passwords that simply are as 123456 None supplied sarlis Low 2017-05-19
Null Password - Setting a new password doesn't check for empty spaces Weak Cryptography for Passwords footstep Low 2017-05-18
Access to completion page without performing any action Improper Access Control - Generic footstep None 2017-05-18
Setting a password with a single character Weak Cryptography for Passwords footstep Low 2017-05-18
Running 2 accounts with a single email Business Logic Errors footstep None 2017-05-18
HttpOnly Flag not set Violation of Secure Design Principles secachhunew None 2017-05-18
Missing restriction on string size of Full Name at https://demo.weblate.org/accounts/register/ Memory Corruption - Generic smit Low 2017-05-18
hosted.weblate.org: X-XSS-Protection not enabled Cross-site Scripting (XSS) - Generic eugui Low 2017-05-17
Logout CSRF Cross-Site Request Forgery (CSRF) japz Low 2017-05-17
[demo.weblate.org] Stored Self-XSS via Editor Link in Profile Cross-site Scripting (XSS) - Stored ysx Low 2017-05-17
Specify maximal length in translation Violation of Secure Design Principles eugui None 2017-05-17
CSV Injection with the CVS export feature - Glossary Command Injection - Generic eugui Low 2017-05-17
Activation tokens are not expiring Cross-Site Request Forgery (CSRF) japz Medium 2017-05-17
Open Redirect via "next" parameter in third-party authentication Open Redirect ysx Medium 2017-05-17
Insecure Account Removal Violation of Secure Design Principles japz Low 2017-05-17
Login using disconnected google account i.e login using old email id Improper Authentication - Generic tushar21 Low 2017-05-17
Registration captcha bypass Violation of Secure Design Principles blacky Medium 2017-05-17
Content Spoofing None supplied mga_bobo Low 2017-05-17
[hosted.weblate.org]Account Takeover None supplied mga_bobo Low 2017-05-17
Open redirect in Signing in via Social Sites Open Redirect rajauzairabdullah Medium 2017-05-17
demo.weblate.org is vulnerable to SWEET32 Vulnerability Inadequate Encryption Strength d0rkerdevil Low 2017-05-17
Improper Password Reset Policy on https://hosted.weblate.org/ Violation of Secure Design Principles mrr3boot Low 2017-05-17
No Password Length Restriction leads to Denial of Service Denial of Service ant_pyne Low 2017-05-17
Email verification over an unencrypted channel Man-in-the-Middle pavanw3b Low 2017-05-17
No Rate Limitting at Change Password None supplied mga_bobo Medium 2017-05-17
full path disclosure at hosted.weblate.org/admin/accounts/profile/ Path Traversal geekdad Medium 2017-05-17
Improper access control when an added email address is deleted from authentication Improper Access Control - Generic cache_bounty High 2017-05-17
Account Takeover using Third party Auth CSRF Cross-Site Request Forgery (CSRF) ansariosama High 2017-05-17
Notify user about password change Improper Authentication - Generic eugui Low 2017-05-17
No BruteForce Protection Brute Force jaypatel Medium 2017-05-17
CSRF : Reset API Cross-Site Request Forgery (CSRF) jaypatel Low 2017-05-17
CSV Injection with the CSV export feature OS Command Injection jaypatel Low 2017-05-17
CSRF : Lock and Unlock Translation Cross-Site Request Forgery (CSRF) jaypatel Medium 2017-05-17
Weak e-mail change functionality could lead to account takeover Violation of Secure Design Principles twicedi Low 2017-05-17
Self XSS at translation page through Editor Link at demo.weblate.org Cross-site Scripting (XSS) - Generic csanuragjain Low 2017-05-17
session id missing secure flag - Hosted Website None supplied pavanw3b Low 2017-05-17
Rate Limit Bypass on login Page Improper Authentication - Generic atruba Medium 2017-05-17
User Enumeration when adding email to account None supplied atruba Low 2017-05-17
Spamming any user from Reset Password Function Violation of Secure Design Principles atruba Low 2017-05-17
CSV export filter bypass leads to formula injection. Command Injection - Generic edoverflow Medium 2017-05-17
Already Registered Email Disclosure Information Disclosure anonymans Low 2017-05-17
Content Spoofing in error message Violation of Secure Design Principles codertom Low 2017-05-17
No expiration of session ID after Password change Insufficient Session Expiration str33 Low 2017-05-17
Missing DMARC on weblate.org None supplied khalidamin Low 2017-05-17
Abuse of Api that causes spamming users and possible DOS due to missing rate limit on contact form None supplied khalidamin None 2017-05-17
Abuse of Api that causes spamming users and possible DOS due to missing rate limit None supplied khalidamin Low 2017-05-17
Content Spoofing Violation of Secure Design Principles eveeez Low 2017-05-17
Specify maximal length in new comment Violation of Secure Design Principles eugui Low 2017-05-17
weblate.org: X-XSS-Protection not enabled Cross-site Scripting (XSS) - Generic eugui Low 2017-05-17
CSRF to Connect third party Account Cross-Site Request Forgery (CSRF) bhavi Medium 2017-05-02
Web server is vulnerable to Beast Attack Cryptographic Issues - Generic mrr3boot Low 2017-04-24