Search criteria
5 vulnerabilities by tolgee
CVE-2024-52297 (GCVE-0-2024-52297)
Vulnerability from cvelistv5 – Published: 2024-11-12 15:54 – Updated: 2024-11-12 18:37
VLAI?
Title
Tolgee's configuration all configuration properties leaked in public configuration DTO
Summary
Tolgee is an open-source localization platform. Tolgee 3.81.1 included the all configuration properties in the PublicConfiguratioDTO publicly exposed to users. This vulnerability is fixed in v3.81.2.
Severity ?
9.8 (Critical)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| tolgee | tolgee-platform |
Affected:
>= 3.81.1, < 3.81.2
|
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:tolgee:tolgee:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "tolgee",
"vendor": "tolgee",
"versions": [
{
"lessThanOrEqual": "3.81.1",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "3.81.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-52297",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-12T18:36:23.377607Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-12T18:37:23.313Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "tolgee-platform",
"vendor": "tolgee",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.81.1, \u003c 3.81.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Tolgee is an open-source localization platform. Tolgee 3.81.1 included the all configuration properties in the PublicConfiguratioDTO publicly exposed to users. This vulnerability is fixed in v3.81.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-12T15:54:29.775Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/tolgee/tolgee-platform/security/advisories/GHSA-3wr3-889v-pgcj",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/tolgee/tolgee-platform/security/advisories/GHSA-3wr3-889v-pgcj"
},
{
"name": "https://github.com/tolgee/tolgee-platform/pull/2481/files#diff-d16735590f0f2db7cd782e2966fa18426b94b5e4030fa8b1f5e00cd55686fe7f",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/tolgee/tolgee-platform/pull/2481/files#diff-d16735590f0f2db7cd782e2966fa18426b94b5e4030fa8b1f5e00cd55686fe7f"
},
{
"name": "https://github.com/tolgee/tolgee-platform/pull/2689/files",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/tolgee/tolgee-platform/pull/2689/files"
}
],
"source": {
"advisory": "GHSA-3wr3-889v-pgcj",
"discovery": "UNKNOWN"
},
"title": "Tolgee\u0027s configuration all configuration properties leaked in public configuration DTO"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-52297",
"datePublished": "2024-11-12T15:54:29.775Z",
"dateReserved": "2024-11-06T19:00:26.395Z",
"dateUpdated": "2024-11-12T18:37:23.313Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-32470 (GCVE-0-2024-32470)
Vulnerability from cvelistv5 – Published: 2024-04-18 15:05 – Updated: 2024-08-02 02:13
VLAI?
Title
Tolgee' API keys created by server admin users bypass the permission check
Summary
Tolgee is an open-source localization platform. When API key created by admin user is used it bypasses the permission check at all. This error was introduced in v3.57.2 and immediately fixed in v3.57.4.
Severity ?
6.5 (Medium)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| tolgee | tolgee-platform |
Affected:
>= 3.57.2, < 3.57.4
|
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:tolgee:tolgee:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "tolgee",
"vendor": "tolgee",
"versions": [
{
"status": "affected",
"version": "*"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-32470",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-23T00:20:13.964082Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:50:17.850Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T02:13:39.286Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/tolgee/tolgee-platform/security/advisories/GHSA-pm57-hcm8-38gw",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/tolgee/tolgee-platform/security/advisories/GHSA-pm57-hcm8-38gw"
},
{
"name": "https://github.com/tolgee/tolgee-platform/security/advisories/GHSA-r95p-fqqv-fppc",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/tolgee/tolgee-platform/security/advisories/GHSA-r95p-fqqv-fppc"
},
{
"name": "https://github.com/tolgee/tolgee-platform/commit/a0d861028d931f8a54387770eaf3a75031b81234",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/tolgee/tolgee-platform/commit/a0d861028d931f8a54387770eaf3a75031b81234"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "tolgee-platform",
"vendor": "tolgee",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.57.2, \u003c 3.57.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Tolgee is an open-source localization platform. When API key created by admin user is used it bypasses the permission check at all. This error was introduced in v3.57.2 and immediately fixed in v3.57.4. "
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-18T15:05:26.408Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/tolgee/tolgee-platform/security/advisories/GHSA-pm57-hcm8-38gw",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/tolgee/tolgee-platform/security/advisories/GHSA-pm57-hcm8-38gw"
},
{
"name": "https://github.com/tolgee/tolgee-platform/security/advisories/GHSA-r95p-fqqv-fppc",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/tolgee/tolgee-platform/security/advisories/GHSA-r95p-fqqv-fppc"
},
{
"name": "https://github.com/tolgee/tolgee-platform/commit/a0d861028d931f8a54387770eaf3a75031b81234",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/tolgee/tolgee-platform/commit/a0d861028d931f8a54387770eaf3a75031b81234"
}
],
"source": {
"advisory": "GHSA-pm57-hcm8-38gw",
"discovery": "UNKNOWN"
},
"title": "Tolgee\u0027 API keys created by server admin users bypass the permission check"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-32470",
"datePublished": "2024-04-18T15:05:26.408Z",
"dateReserved": "2024-04-12T19:41:51.167Z",
"dateUpdated": "2024-08-02T02:13:39.286Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-32466 (GCVE-0-2024-32466)
Vulnerability from cvelistv5 – Published: 2024-04-18 15:02 – Updated: 2024-08-02 02:13
VLAI?
Title
Tolgee's API key scopes not checked when querying translation data
Summary
Tolgee is an open-source localization platform. For the `/v2/projects/translations` and `/v2/projects/{projectId}/translations` endpoints, translation data was returned even when API key was missing `translation.view` scope. However, it was impossible to fetch the data when user was missing this scope. So this is only relevant for API keys generated by users permitted to `translation.view`. This vulnerability is fixed in v3.57.2
Severity ?
CWE
- CWE-862 - Missing Authorization
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| tolgee | tolgee-platform |
Affected:
< 3.57.2
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-32466",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-03T15:04:29.774849Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-05T17:22:58.939Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T02:13:39.097Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/tolgee/tolgee-platform/security/advisories/GHSA-r95p-fqqv-fppc",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/tolgee/tolgee-platform/security/advisories/GHSA-r95p-fqqv-fppc"
},
{
"name": "https://github.com/tolgee/tolgee-platform/commit/f71213925d6f80019f841db0ead9baa7488c1821",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/tolgee/tolgee-platform/commit/f71213925d6f80019f841db0ead9baa7488c1821"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "tolgee-platform",
"vendor": "tolgee",
"versions": [
{
"status": "affected",
"version": "\u003c 3.57.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Tolgee is an open-source localization platform. For the `/v2/projects/translations` and `/v2/projects/{projectId}/translations` endpoints, translation data was returned even when API key was missing `translation.view` scope. However, it was impossible to fetch the data when user was missing this scope. So this is only relevant for API keys generated by users permitted to `translation.view`. This vulnerability is fixed in v3.57.2\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-18T15:02:43.803Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/tolgee/tolgee-platform/security/advisories/GHSA-r95p-fqqv-fppc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/tolgee/tolgee-platform/security/advisories/GHSA-r95p-fqqv-fppc"
},
{
"name": "https://github.com/tolgee/tolgee-platform/commit/f71213925d6f80019f841db0ead9baa7488c1821",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/tolgee/tolgee-platform/commit/f71213925d6f80019f841db0ead9baa7488c1821"
}
],
"source": {
"advisory": "GHSA-r95p-fqqv-fppc",
"discovery": "UNKNOWN"
},
"title": "Tolgee\u0027s API key scopes not checked when querying translation data"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-32466",
"datePublished": "2024-04-18T15:02:43.803Z",
"dateReserved": "2024-04-12T19:41:51.165Z",
"dateUpdated": "2024-08-02T02:13:39.097Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-41316 (GCVE-0-2023-41316)
Vulnerability from cvelistv5 – Published: 2023-09-07 19:39 – Updated: 2024-09-26 14:12
VLAI?
Title
HTML Injection with email in Tolgee
Summary
Tolgee is an open-source localization platform. Due to lack of validation field - Org Name, bad actor can send emails with HTML injected code to the victims. Registered users can inject HTML into unsanitized emails from the Tolgee instance to other users. This unsanitized HTML ends up in invitation emails which appear as legitimate org invitations. Bad actors may direct users to malicious website or execute javascript in the context of the users browser. This vulnerability has been addressed in version 3.29.2. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Severity ?
5.5 (Medium)
CWE
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| tolgee | tolgee-platform |
Affected:
< 3.29.2
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T18:54:05.181Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/tolgee/tolgee-platform/security/advisories/GHSA-gx3w-rwh5-w5cg",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/tolgee/tolgee-platform/security/advisories/GHSA-gx3w-rwh5-w5cg"
},
{
"name": "https://github.com/tolgee/tolgee-platform/commit/bab718b1c9b3e90327bfb10d27b9799996e5c35b",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/tolgee/tolgee-platform/commit/bab718b1c9b3e90327bfb10d27b9799996e5c35b"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:tolgee:tolgee:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "tolgee",
"vendor": "tolgee",
"versions": [
{
"lessThan": "3.29.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-41316",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-26T14:00:12.956222Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-26T14:12:50.570Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "tolgee-platform",
"vendor": "tolgee",
"versions": [
{
"status": "affected",
"version": "\u003c 3.29.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Tolgee is an open-source localization platform. Due to lack of validation field - Org Name, bad actor can send emails with HTML injected code to the victims. Registered users can inject HTML into unsanitized emails from the Tolgee instance to other users. This unsanitized HTML ends up in invitation emails which appear as legitimate org invitations. Bad actors may direct users to malicious website or execute javascript in the context of the users browser. This vulnerability has been addressed in version 3.29.2. Users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-09-07T19:39:07.916Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/tolgee/tolgee-platform/security/advisories/GHSA-gx3w-rwh5-w5cg",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/tolgee/tolgee-platform/security/advisories/GHSA-gx3w-rwh5-w5cg"
},
{
"name": "https://github.com/tolgee/tolgee-platform/commit/bab718b1c9b3e90327bfb10d27b9799996e5c35b",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/tolgee/tolgee-platform/commit/bab718b1c9b3e90327bfb10d27b9799996e5c35b"
}
],
"source": {
"advisory": "GHSA-gx3w-rwh5-w5cg",
"discovery": "UNKNOWN"
},
"title": "HTML Injection with email in Tolgee"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-41316",
"datePublished": "2023-09-07T19:39:07.916Z",
"dateReserved": "2023-08-28T16:56:43.365Z",
"dateUpdated": "2024-09-26T14:12:50.570Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-38510 (GCVE-0-2023-38510)
Vulnerability from cvelistv5 – Published: 2023-07-27 18:57 – Updated: 2024-10-03 18:36
VLAI?
Title
Tolgee Lacks Permission Check for API Key for some endpoints
Summary
Tolgee is an open-source localization platform. Starting in version 3.14.0 and prior to version 3.23.1, when a request is made using an API key, the backend fails to verify the permission scopes associated with the key, effectively bypassing permission checks entirely for some endpoints. It's important to note that this vulnerability only affects projects that have inadvertently exposed their API keys on the internet. Projects that have kept their API keys secure are not impacted. This issue is fixed in version 3.23.1.
Severity ?
8.1 (High)
CWE
- CWE-862 - Missing Authorization
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| tolgee | tolgee-platform |
Affected:
>= 3.14.0, < 3.23.1
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T17:46:55.143Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/tolgee/tolgee-platform/security/advisories/GHSA-4f9j-4vh4-p85v",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/tolgee/tolgee-platform/security/advisories/GHSA-4f9j-4vh4-p85v"
},
{
"name": "https://github.com/tolgee/tolgee-platform/pull/1818",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/tolgee/tolgee-platform/pull/1818"
},
{
"name": "https://github.com/tolgee/tolgee-platform/commit/4776cba67e7bb8c1b0259376e3e5fa3bb46e45c7",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/tolgee/tolgee-platform/commit/4776cba67e7bb8c1b0259376e3e5fa3bb46e45c7"
},
{
"name": "https://github.com/tolgee/tolgee-platform/releases/tag/v3.23.1",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/tolgee/tolgee-platform/releases/tag/v3.23.1"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:tolgee:tolgee:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "tolgee",
"vendor": "tolgee",
"versions": [
{
"lessThan": "3.23.1",
"status": "affected",
"version": "3.14.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-38510",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-03T18:35:54.292300Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-03T18:36:37.229Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "tolgee-platform",
"vendor": "tolgee",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.14.0, \u003c 3.23.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Tolgee is an open-source localization platform. Starting in version 3.14.0 and prior to version 3.23.1, when a request is made using an API key, the backend fails to verify the permission scopes associated with the key, effectively bypassing permission checks entirely for some endpoints. It\u0027s important to note that this vulnerability only affects projects that have inadvertently exposed their API keys on the internet. Projects that have kept their API keys secure are not impacted. This issue is fixed in version 3.23.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-27T18:57:28.197Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/tolgee/tolgee-platform/security/advisories/GHSA-4f9j-4vh4-p85v",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/tolgee/tolgee-platform/security/advisories/GHSA-4f9j-4vh4-p85v"
},
{
"name": "https://github.com/tolgee/tolgee-platform/pull/1818",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/tolgee/tolgee-platform/pull/1818"
},
{
"name": "https://github.com/tolgee/tolgee-platform/commit/4776cba67e7bb8c1b0259376e3e5fa3bb46e45c7",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/tolgee/tolgee-platform/commit/4776cba67e7bb8c1b0259376e3e5fa3bb46e45c7"
},
{
"name": "https://github.com/tolgee/tolgee-platform/releases/tag/v3.23.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/tolgee/tolgee-platform/releases/tag/v3.23.1"
}
],
"source": {
"advisory": "GHSA-4f9j-4vh4-p85v",
"discovery": "UNKNOWN"
},
"title": "Tolgee Lacks Permission Check for API Key for some endpoints"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-38510",
"datePublished": "2023-07-27T18:57:28.197Z",
"dateReserved": "2023-07-18T16:28:12.078Z",
"dateUpdated": "2024-10-03T18:36:37.229Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}