{"api_version":"1","generated_at":"2026-05-10T16:57:42+00:00","cve":"CVE-2022-24710","urls":{"html":"https://cve.report/CVE-2022-24710","api":"https://cve.report/api/cve/CVE-2022-24710.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2022-24710","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2022-24710"},"summary":{"title":"CVE-2022-24710","description":"Weblate is a copyleft software web-based continuous localization system. Versions prior to 4.11 do not properly neutralize user input used in user name and language fields. Due to this improper neutralization it is possible to perform cross-site scripting via these fields. The issues were fixed in the 4.11 release. Users unable to upgrade are advised to add their own neutralize logic.","state":"PUBLIC","assigner":"security-advisories@github.com","published_at":"2022-02-25 21:15:00","updated_at":"2022-03-08 15:13:00"},"problem_types":["CWE-79"],"metrics":[],"references":[{"url":"https://github.com/WeblateOrg/weblate/commit/9e19a8414337692cc90da2a91c9af5420f2952f1","name":"https://github.com/WeblateOrg/weblate/commit/9e19a8414337692cc90da2a91c9af5420f2952f1","refsource":"MISC","tags":[],"title":"js: Add missing escaping to username completion · WeblateOrg/weblate@9e19a84 · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://github.com/WeblateOrg/weblate/security/advisories/GHSA-6jp6-9rf9-gc66","name":"https://github.com/WeblateOrg/weblate/security/advisories/GHSA-6jp6-9rf9-gc66","refsource":"CONFIRM","tags":[],"title":"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Weblate · Advisory · WeblateOrg/weblate · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://github.com/WeblateOrg/weblate/commit/22d577b1f1e88665a88b4569380148030e0f8389","name":"https://github.com/WeblateOrg/weblate/commit/22d577b1f1e88665a88b4569380148030e0f8389","refsource":"MISC","tags":[],"title":"reports: Escape user names in generated reports · WeblateOrg/weblate@22d577b · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://github.com/WeblateOrg/weblate/commit/f6753a1a1c63fade6ad418fbda827c6750ab0bda","name":"https://github.com/WeblateOrg/weblate/commit/f6753a1a1c63fade6ad418fbda827c6750ab0bda","refsource":"MISC","tags":[],"title":"translate: Add missing escaping to language name · WeblateOrg/weblate@f6753a1 · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2022-24710","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24710","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2022","cve_id":"24710","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"weblate","cpe5":"weblate","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"security-advisories@github.com","ID":"CVE-2022-24710","STATE":"PUBLIC","TITLE":"Cross-site Scripting in Weblate"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"weblate","version":{"version_data":[{"version_value":"< 4.11"}]}}]},"vendor_name":"WeblateOrg"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"Weblate is a copyleft software web-based continuous localization system. Versions prior to 4.11 do not properly neutralize user input used in user name and language fields. Due to this improper neutralization it is possible to perform cross-site scripting via these fields. The issues were fixed in the 4.11 release. Users unable to upgrade are advised to add their own neutralize logic."}]},"impact":{"cvss":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":5.4,"baseSeverity":"MEDIUM","confidentialityImpact":"LOW","integrityImpact":"LOW","privilegesRequired":"LOW","scope":"CHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N","version":"3.1"}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}]},"references":{"reference_data":[{"name":"https://github.com/WeblateOrg/weblate/security/advisories/GHSA-6jp6-9rf9-gc66","refsource":"CONFIRM","url":"https://github.com/WeblateOrg/weblate/security/advisories/GHSA-6jp6-9rf9-gc66"},{"name":"https://github.com/WeblateOrg/weblate/commit/22d577b1f1e88665a88b4569380148030e0f8389","refsource":"MISC","url":"https://github.com/WeblateOrg/weblate/commit/22d577b1f1e88665a88b4569380148030e0f8389"},{"name":"https://github.com/WeblateOrg/weblate/commit/9e19a8414337692cc90da2a91c9af5420f2952f1","refsource":"MISC","url":"https://github.com/WeblateOrg/weblate/commit/9e19a8414337692cc90da2a91c9af5420f2952f1"},{"name":"https://github.com/WeblateOrg/weblate/commit/f6753a1a1c63fade6ad418fbda827c6750ab0bda","refsource":"MISC","url":"https://github.com/WeblateOrg/weblate/commit/f6753a1a1c63fade6ad418fbda827c6750ab0bda"}]},"source":{"advisory":"GHSA-6jp6-9rf9-gc66","discovery":"UNKNOWN"}},"nvd":{"publishedDate":"2022-02-25 21:15:00","lastModifiedDate":"2022-03-08 15:13:00","problem_types":["CWE-79"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE","baseScore":5.4,"baseSeverity":"MEDIUM"},"exploitabilityScore":2.3,"impactScore":2.7},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:M/Au:S/C:N/I:P/A:N","accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"SINGLE","confidentialityImpact":"NONE","integrityImpact":"PARTIAL","availabilityImpact":"NONE","baseScore":3.5},"severity":"LOW","exploitabilityScore":6.8,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":true}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:weblate:weblate:*:*:*:*:*:*:*:*","versionEndExcluding":"4.11","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2022","CveId":"24710","Ordinal":"228191","Title":"CVE-2022-24710","CVE":"CVE-2022-24710","Year":"2022"},"notes":[{"CveYear":"2022","CveId":"24710","Ordinal":"1","NoteData":"** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.","Type":"Description","Title":null}]}}}