CVE-2025-67715
BaseFortify
Publication date: 2025-12-16
Last updated on: 2025-12-17
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| weblate | weblate | to 5.15 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-285 | The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action. |
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-67715 is a vulnerability in Weblate versions prior to 5.15 where insufficient access controls in the Weblate API allowed low-privileged attackers to retrieve user notification settings and list all users without proper authorization. This was due to improper permission checks in the API endpoints related to user management. The issue was fixed in version 5.15 by introducing fine-grained permission checks, including an 'allow_self' parameter to differentiate self-service actions from administrative ones, restricting user search to authenticated users, and tightening access to user notifications to prevent unauthorized data exposure. [1, 2]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an attacker with low privileges to access confidential user information such as notification settings and to enumerate all users via the Weblate API. This exposure of user data compromises confidentiality but does not affect data integrity or availability. Unauthorized access to user notifications and user lists could lead to privacy breaches or information disclosure within your organization. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
To detect this vulnerability, you can attempt to access the Weblate API endpoints related to user notifications and user listing without proper authentication or with low-privilege accounts. For example, try to list all users or retrieve notification settings via API calls without admin rights. Commands using curl might include: 1) Attempt to list users without authentication: curl -X GET https://<weblate-server>/api/users/ 2) Attempt to retrieve notification settings for other users: curl -X GET https://<weblate-server>/api/notifications/ -H 'Authorization: Bearer <low-privilege-token>' If these calls succeed in versions prior to 5.15, the system is vulnerable. After version 5.15, these endpoints require authentication and proper permissions, so unauthorized access should be denied. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Weblate to version 5.15 or later, where the vulnerability is fixed by enforcing proper access controls on the API. If upgrading immediately is not possible, restrict access to the Weblate API endpoints related to user management and notifications to trusted users only, and ensure that unauthenticated or low-privilege users cannot access these endpoints. Additionally, monitor API access logs for unauthorized attempts to list users or retrieve notifications. [1, 2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthorized retrieval of user notification settings and enumeration of all users via the API, which could lead to exposure of personal data. This unauthorized access to user information may impact compliance with data protection regulations such as GDPR and HIPAA by violating principles of confidentiality and proper access control. The fix in version 5.15 improves access controls to prevent unauthorized data disclosure, thereby helping to maintain compliance with such standards. [1, 2]