Weblate Program Statistics

View program

132 total issues disclosed

$0 total paid publicly

Most disclosed (37 disclosures) — None supplied

Disclosed Reports

Report Title Vulnerability Type Disclosed By Severity Disclosed on
Reset password cookie leads to account takeover Reliance on Cookies without Validation and Integrity Checking in a Security Decision seqrity Medium 2020-10-12
Send Empty CSRF leads to log out user on [https://hosted.weblate.org/accounts/profile] Cross-Site Request Forgery (CSRF) seqrity Low 2020-10-12
Open Github Repo Leaking WEBLATE SECRET KEY Cleartext Storage of Sensitive Information nafisaqil None 2020-07-26
Improper validation of unicode characters#2 None supplied code_monkey None 2020-07-26
Secret_key in GitHub Information Disclosure fr0gz0x None 2020-07-18
2nd issue>>> flood of email no rate limit on delete account confirmation email >> Violation of Secure Design Principles crazy_wonk Low 2018-09-28
flood of comment no rate limit on commnets >> by using different user agent Violation of Secure Design Principles crazy_wonk Low 2018-09-28
no notification send to victim if attacker hacks/accesses his victims WebLate account. Business Logic Errors c0narp Low 2018-09-26
Browser Self XSS Protection not implemented Information Disclosure hallaleen No rating 2018-09-26
Broken Authentication – Session Token bug None supplied crazy_wonk None 2018-09-26
Open port leads to information disclosure Information Disclosure str33 Low 2018-09-10
Tab nabbing via window.opener None supplied logan47 No rating 2018-09-01
Audit log validation Improper Neutralization of HTTP Headers for Scripting Syntax mur90210 None 2018-08-28
Insecure Account Removal #2 Violation of Secure Design Principles japz Low 2018-08-28
Account Restore / Reactivating an old email via old reset link None supplied footstep No rating 2018-08-27
Running 2 accounts with a single email #3 Business Logic Errors footstep No rating 2018-08-27
DNSSEC Zone Walk using NSEC Records Information Disclosure pk21 None 2018-01-30
Improper validation of unicode characters None supplied crazy_wonk None 2017-11-17
Running 2 accounts with a single email [Part 2] Business Logic Errors footstep No rating 2017-10-07
Reset password more than once with a reset link #2 Business Logic Errors footstep No rating 2017-10-07
Application allowing old password to be set as new password | hosted.weblate.org None supplied punkit No rating 2017-10-05
Add another email address without verification Improper Access Control - Generic tungpun No rating 2017-10-05
DKIM records not present, Email Hijacking is possible..... Improper Authentication - Generic kaamakya None 2017-09-16
Missing Restriction On String Size Memory Corruption - Generic alyanwarr None 2017-09-16
No rate limit or captcha to identify humans Violation of Secure Design Principles alyanwarr None 2017-09-15
Improper Cookie expiration | Cookies Expiration Set to Future None supplied punkit Low 2017-08-31
[debian.weblate.org]-Missing SPF Record Violation of Secure Design Principles hackerhero Low 2017-08-24
Reset password more than once with a reset link Business Logic Errors footstep No rating 2017-08-21
Full Name Overwrite on Third party login None supplied footstep No rating 2017-08-21
No Rate Limitation on Regenerate Api Key None supplied footstep No rating 2017-08-21
Persistence of Third Party Association. Business Logic Errors footstep No rating 2017-08-21
Previous password could set as new password None supplied footstep No rating 2017-08-21
Password token validation in Weblate Bypass #2 None supplied footstep No rating 2017-08-21
Password token validation in Weblate Bypass Improper Authentication - Generic footstep None 2017-08-21
Improper validation of unicode characters #3 None supplied footstep No rating 2017-08-21
Improper validation of unicode characters still not fixed #2 None supplied footstep No rating 2017-08-21
Improper validation of unicode characters still not fixed None supplied footstep No rating 2017-08-21
Password Restriction Violation of Secure Design Principles chols Low 2017-08-19
Improper validation of unicode characters Violation of Secure Design Principles asaxena2190 No rating 2017-08-19
Weak password policy None supplied platinum1933 Low 2017-08-18
Csrf in watch-unwatch projects Cross-Site Request Forgery (CSRF) ashish_r_padelkar Low 2017-08-17
Error Message When Changing Username Business Logic Errors blake12356 None 2017-08-17
The username of an account can be .. Business Logic Errors blake12356 None 2017-07-27
No filteration of null characters in name field Violation of Secure Design Principles blake12356 None 2017-07-27
Bypassing captcha in registration on Hosted site Denial of Service pavanw3b Medium 2017-07-03
Invalidate session after password reset - hosted website None supplied pavanw3b Low 2017-07-03
Rate Limit Issue on hosted.weblate.org Brute Force imran_hadid Low 2017-07-02
Weblate |Security Misconfiguration| Method Enumeration Possible on domain None supplied punkit None 2017-07-02
Captcha bypass at registration None supplied proabiral Low 2017-06-28
Adding Email lacks Password validation None supplied proabiral Low 2017-06-28
Password token validation in https://demo.weblate.org/ Improper Authentication - Generic brdoors3 No rating 2017-06-27
Improper validation of unicode characters None supplied rammarj No rating 2017-06-20
Existing sessions valid after removing third party auth Improper Authentication - Generic brdoors3 Low 2017-06-16
Directory Listing Cleartext Storage of Sensitive Information haxor_kiddie None 2017-06-16
Email spoofing at weblate.org None supplied pyrk2142 No rating 2017-06-16
Incorrect HTTPS Certificate Improper Certificate Validation numbshiva None 2017-06-16
ClickJacking on Debug UI Redressing (Clickjacking) bf7e43565d8cf54de3bc5a7 No rating 2017-06-16
7BO: Binary Option Robot URL should be HTTPS None supplied bf7e43565d8cf54de3bc5a7 No rating 2017-06-16
Facebook share URL should be HTTPS None supplied bf7e43565d8cf54de3bc5a7 No rating 2017-06-16
Takeover of an account via reset password options after removing the account Improper Authentication - Generic imran_hadid Low 2017-06-13
Open redirect while disconnecting Email Open Redirect atruba No rating 2017-06-08
Open redirect while disconnecting authenticated account Open Redirect gsecure Medium 2017-06-08
Clickjacking docs.weblate.org None supplied lolninja Low 2017-06-05
Weblate- Banner Grabbing-Ngnix Server version None supplied punkit No rating 2017-06-05
Old password can be new password None supplied proabiral Low 2017-06-03
Missing restriction on string size None supplied proabiral Low 2017-06-03
Login CSRF : Login Authentication Flaw Cross-Site Request Forgery (CSRF) japz Medium 2017-06-02
No Rate Limiting at /contact Memory Corruption - Generic chols Low 2017-06-02
CSRF - Changing the full name / adding a secondary email identity of an account via a GET request Cross-Site Request Forgery (CSRF) inhibitor181 Medium 2017-06-02
Captcha Bypass at Email Reset can lead to Spamming users. Violation of Secure Design Principles sahilmk No rating 2017-06-02
Information Disclosure on demo.weblate.org Information Disclosure sp1d3rs Low 2017-06-02
CSRF bypass ( Delate Source Translation From dictionaries ) in demo.weblate.org Cross-Site Request Forgery (CSRF) sup3r-b0y Medium 2017-06-02
Uploaded XLF files result in External Entity Execution XML External Entities (XXE) 4cad High 2017-06-02
API Does Not Apply Access Controls to Translations Improper Access Control - Generic 4cad Low 2017-06-02
Design Flaw in session management of password reset Improper Access Control - Generic asaxena2190 No rating 2017-06-02
No notificatoin sent on email after account deletion. None supplied mansoor_gilal No rating 2017-06-02
Self-XSS can be achieved in the editor link using filter bypass Cross-site Scripting (XSS) - Generic sp1d3rs None 2017-06-02
CSP "script-src" includes "unsafe-inline" in weblate.org and demo.weblate.org Violation of Secure Design Principles mrr3boot None 2017-05-23
Missing filteration of meta characters in full name field on registration page https://demo.weblate.org/accounts/register Violation of Secure Design Principles smit None 2017-05-22
Option method enabled Violation of Secure Design Principles hurthearts None 2017-05-21
Open SMTP port can let anyone send email from mail.chihar.com Cryptographic Issues - Generic str33 No rating 2017-05-20
You can simply just use passwords that simply are as 123456 None supplied sarlis Low 2017-05-19
Null Password - Setting a new password doesn't check for empty spaces Weak Cryptography for Passwords footstep Low 2017-05-18
Access to completion page without performing any action Improper Access Control - Generic footstep None 2017-05-18
Setting a password with a single character Weak Cryptography for Passwords footstep Low 2017-05-18
Running 2 accounts with a single email Business Logic Errors footstep None 2017-05-18
HttpOnly Flag not set Violation of Secure Design Principles secachhunew None 2017-05-18
Missing restriction on string size of Full Name at https://demo.weblate.org/accounts/register/ Memory Corruption - Generic smit Low 2017-05-18
hosted.weblate.org: X-XSS-Protection not enabled Cross-site Scripting (XSS) - Generic eugui Low 2017-05-17
Logout CSRF Cross-Site Request Forgery (CSRF) japz Low 2017-05-17
[demo.weblate.org] Stored Self-XSS via Editor Link in Profile Cross-site Scripting (XSS) - Stored ysx Low 2017-05-17
Specify maximal length in translation Violation of Secure Design Principles eugui None 2017-05-17
CSV Injection with the CVS export feature - Glossary Command Injection - Generic eugui Low 2017-05-17
Activation tokens are not expiring Cross-Site Request Forgery (CSRF) japz Medium 2017-05-17
Open Redirect via "next" parameter in third-party authentication Open Redirect ysx Medium 2017-05-17
Insecure Account Removal Violation of Secure Design Principles japz Low 2017-05-17
Login using disconnected google account i.e login using old email id Improper Authentication - Generic tushar21 Low 2017-05-17
Registration captcha bypass Violation of Secure Design Principles blacky Medium 2017-05-17
Content Spoofing None supplied mga_bobo Low 2017-05-17
[hosted.weblate.org]Account Takeover None supplied mga_bobo Low 2017-05-17
Open redirect in Signing in via Social Sites Open Redirect rajauzairabdullah Medium 2017-05-17
demo.weblate.org is vulnerable to SWEET32 Vulnerability Inadequate Encryption Strength d0rkerdevil Low 2017-05-17
Improper Password Reset Policy on https://hosted.weblate.org/ Violation of Secure Design Principles mrr3boot Low 2017-05-17
No Password Length Restriction leads to Denial of Service Denial of Service ant_pyne Low 2017-05-17
Email verification over an unencrypted channel Man-in-the-Middle pavanw3b Low 2017-05-17
No Rate Limitting at Change Password None supplied mga_bobo Medium 2017-05-17
full path disclosure at hosted.weblate.org/admin/accounts/profile/ Path Traversal geekdad Medium 2017-05-17
Improper access control when an added email address is deleted from authentication Improper Access Control - Generic cache_bounty High 2017-05-17
Account Takeover using Third party Auth CSRF Cross-Site Request Forgery (CSRF) ansariosama High 2017-05-17
Notify user about password change Improper Authentication - Generic eugui Low 2017-05-17
No BruteForce Protection Brute Force jaypatel Medium 2017-05-17
CSRF : Reset API Cross-Site Request Forgery (CSRF) jaypatel Low 2017-05-17
CSV Injection with the CSV export feature OS Command Injection jaypatel Low 2017-05-17
CSRF : Lock and Unlock Translation Cross-Site Request Forgery (CSRF) jaypatel Medium 2017-05-17
Weak e-mail change functionality could lead to account takeover Violation of Secure Design Principles twicedi Low 2017-05-17
Self XSS at translation page through Editor Link at demo.weblate.org Cross-site Scripting (XSS) - Generic csanuragjain Low 2017-05-17
session id missing secure flag - Hosted Website None supplied pavanw3b Low 2017-05-17
Rate Limit Bypass on login Page Improper Authentication - Generic atruba Medium 2017-05-17
User Enumeration when adding email to account None supplied atruba Low 2017-05-17
Spamming any user from Reset Password Function Violation of Secure Design Principles atruba Low 2017-05-17
CSV export filter bypass leads to formula injection. Command Injection - Generic edoverflow Medium 2017-05-17
Already Registered Email Disclosure Information Disclosure anonymans Low 2017-05-17
Content Spoofing in error message Violation of Secure Design Principles codertom Low 2017-05-17
No expiration of session ID after Password change Insufficient Session Expiration str33 Low 2017-05-17
Missing DMARC on weblate.org None supplied khalidamin Low 2017-05-17
Abuse of Api that causes spamming users and possible DOS due to missing rate limit on contact form None supplied khalidamin None 2017-05-17
Abuse of Api that causes spamming users and possible DOS due to missing rate limit None supplied khalidamin Low 2017-05-17
Content Spoofing Violation of Secure Design Principles eveeez Low 2017-05-17
Specify maximal length in new comment Violation of Secure Design Principles eugui Low 2017-05-17
weblate.org: X-XSS-Protection not enabled Cross-site Scripting (XSS) - Generic eugui Low 2017-05-17
CSRF to Connect third party Account Cross-Site Request Forgery (CSRF) bhavi Medium 2017-05-02
Web server is vulnerable to Beast Attack Cryptographic Issues - Generic mrr3boot Low 2017-04-24