CVE-2025-47951
MEDIUM4.9EPSS 0.20%Weblate lacks rate limiting when verifying second factor
發布日:2025/6/16修改日:2025/6/16
描述
### Impact The verification of the second factor was not subject to rate limiting. The absence of rate limiting on the second factor endpoint allows an attacker with valid credentials to automate OTP guessing. ### Patches This issue has been addressed in Weblate 5.12 via https://github.com/WeblateOrg/weblate/pull/14918. ### References Thanks to [obscuredeer](https://hackerone.com/obscuredeer) for reporting this [issue at HackerOne](https://hackerone.com/reports/3150564).
受影響套件(1)
- PyPI/weblatefrom 0, < 5.12
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM4.9 | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N |
參考連結(7)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-47951
- PATCHhttps://github.com/WeblateOrg/weblate
- WEBhttps://github.com/WeblateOrg/weblate/commit/f806293451248c5d95e45b3b507e9d158bc4f384
- WEBhttps://github.com/WeblateOrg/weblate/pull/14918
- WEBhttps://github.com/WeblateOrg/weblate/releases/tag/weblate-5.12.1
- WEBhttps://github.com/WeblateOrg/weblate/security/advisories/GHSA-57jg-m997-cx3q
- WEBhttps://hackerone.com/reports/3150564