Weblate VCS Credential Leakage Vulnerability

A vulnerability in Weblate prior to version 5.11 allows for the unintentional exposure of VCS credentials, such as GitHub personal access tokens and usernames. This occurs when creating a new component from an existing one with a source code repository URL that includes these credentials. The URL is transmitted as a URL parameter, potentially logged by the server, and saved in plaintext in browser history. This issue is particularly concerning when using the official Weblate Docker image, as nginx logs also capture the sensitive information in plaintext.

Impact

Exploitation of this vulnerability could lead to the leakage of VCS credentials, which, if compromised, might allow access to private repositories containing sensitive code.

Reproduction

To reproduce this vulnerability, create a component in Weblate with a repository URL that includes GitHub credentials. Then, create a new component from this one, which will include the URL with the credentials in the URL parameters. This URL can be logged and saved in browser history, exposing the credentials in plaintext.

Remediation

Users can upgrade to Weblate version 5.11, where this vulnerability has been patched.