Weblate WLC Command-Line Client Cross-Site Scripting Vulnerability
Vulnerability
A cross-site scripting vulnerability has been identified in the Weblate command-line client (WLC) versions prior to 2.0.0. The issue arises because the HTML output format embeds API response data into HTML without proper escaping. This flaw allows for cross-site scripting when the output is viewed in a web browser. The vulnerability has been patched in version 2.0.0.
Impact
Exploitation of this vulnerability allows for cross-site scripting, where an attacker can inject malicious scripts that are executed in the context of the user's browser.
Reproduction
To reproduce this vulnerability, use a version of the WLC command-line client prior to 2.0.0. Opt into the HTML output format, which is the only vulnerable code path. When the output is rendered in a browser, the injected scripts will execute, demonstrating the cross-site scripting vulnerability.
Remediation
Users can upgrade to WLC version 2.0.0 or later, where this vulnerability has been fixed.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.