Weblate


reports in last 90 days

122

disclosed resolved issues

5

disclosed informative issues

1

disclosed N/A issues

Listed on HackerOne — Updated on 2019/10/15

Bug Title Bug Type Found By Report Info Report Status

Medium Stored XSS via Create Project (Add new translation project)

Cross-site Scripting (XSS) - Stored th3_alchem1st Issue was not triaged


Time to close: 0 Days and 3 hours
Resolved

Medium HTML injection and information disclosure in support panel

Information Disclosure xalerafera Time to triage: 0 Days and 1 hours


Time to close: 0 Days and 1 hours
Resolved

Medium Stored XSS @ /engage/<project_slug>

Cross-site Scripting (XSS) - Stored lgian Time to triage: 0 Days and 13 hours


Time to close: 0 Days and 0 hours
Resolved

Low No Rate Limit On Add new word

Business Logic Errors elmahdi Issue was not triaged


Time to close: 0 Days and 8 hours
Resolved

Low No Rate On Add Suggest

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') elmahdi Time to triage: 0 Days and 16 hours


Time to close: 3 Days and 20 hours
Resolved

Low flood of comment no rate limit on commnets >> by using different user agent

Violation of Secure Design Principles crazy_wonk Issue was not triaged


Time to close: 0 Days and 1 hours
Resolved

Low 2nd issue>>> flood of email no rate limit on delete account confirmation email >>

Violation of Secure Design Principles crazy_wonk Issue was not triaged


Time to close: 0 Days and 16 hours
Resolved

None Broken Authentication – Session Token bug

None supplied crazy_wonk Issue was not triaged


Time to close: 0 Days and 1 hours
Resolved

No rating Browser Self XSS Protection not implemented

Information Disclosure hallaleen Issue was not triaged


Time to close: 0 Days and 0 hours
Resolved

Low no notification send to victim if attacker hacks/accesses his victims WebLate account.

Business Logic Errors c0narp Issue was not triaged


Time to close: 0 Days and 3 hours
Resolved

Low Open port leads to information disclosure

Information Disclosure str33 Issue was not triaged


Time to close: 0 Days and 2 hours
Informative

No rating Tab nabbing via window.opener

None supplied logan47 Issue was not triaged


Time to close: 0 Days and 0 hours
Resolved

No rating Running 2 accounts with a single email #3

Business Logic Errors footstep Time to triage: 0 Days and 7 hours


Time to close: 95 Days and 19 hours
Resolved

No rating Account Restore / Reactivating an old email via old reset link

None supplied footstep Issue was not triaged


Time to close: 5 Days and 4 hours
Resolved

Low Insecure Account Removal #2

Violation of Secure Design Principles japz Time to triage: 1 Days and 1 hours


Time to close: 139 Days and 1 hours
Resolved

None Audit log validation

Improper Neutralization of HTTP Headers for Scripting Syntax mur90210 Time to triage: 0 Days and 14 hours


Time to close: 4 Days and 13 hours
Resolved

None DNSSEC Zone Walk using NSEC Records

Information Disclosure pk21 Time to triage: 0 Days and 1 hours


Time to close: 6 Days and 23 hours
Informative

None Improper validation of unicode characters

None supplied crazy_wonk Issue was not triaged


Time to close: 0 Days and 2 hours
Resolved

No rating Add another email address without verification

Improper Access Control - Generic tungpun Time to triage: 0 Days and 1 hours


Time to close: 0 Days and 1 hours
Resolved

No rating Application allowing old password to be set as new password | hosted.weblate.org

None supplied punkit Issue was not triaged


Time to close: 0 Days and 0 hours
Resolved

No rating Reset password more than once with a reset link #2

Business Logic Errors footstep Time to triage: 0 Days and 12 hours


Time to close: 44 Days and 16 hours
Resolved

No rating Running 2 accounts with a single email [Part 2]

Business Logic Errors footstep Time to triage: 7 Days and 2 hours


Time to close: 1 Days and 23 hours
Resolved

None No rate limit or captcha to identify humans

Violation of Secure Design Principles alyanwarr Time to triage: 0 Days and 0 hours


Time to close: 0 Days and 0 hours
Resolved

None Missing Restriction On String Size

Memory Corruption - Generic alyanwarr Issue was not triaged


Time to close: 0 Days and 0 hours
Resolved

None DKIM records not present, Email Hijacking is possible.....

Improper Authentication - Generic kaamakya Issue was not triaged


Time to close: 0 Days and 16 hours
Resolved