Weblate Markdown Renderer Cross-Site Scripting Vulnerability

A cross-site scripting vulnerability has been identified in Weblate, a web-based localization tool, in versions prior to 5.17.1. The issue arises because the Markdown renderer used for user comments and other user-generated content did not adequately sanitize certain attributes. This flaw could allow for the injection of malicious scripts, potentially leading to cross-site scripting attacks.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where an attacker can inject malicious scripts that are executed in the context of the user's browser.

Reproduction

To reproduce this vulnerability, create a user comment or other user-provided content that includes Markdown image links. The Markdown renderer will process the links without proper sanitization, allowing for the injection of malicious attributes or scripts. This can be tested by including JavaScript event handlers, such as 'onerror' or 'onclick', in the image link, which would be executed when the image fails to load or the link is clicked.

Remediation

Users can upgrade to Weblate version 5.17.1 or later, where this vulnerability has been patched.