CVE-2024-32466

Sažetak

Tolgee is an open-source localization platform. For the `/v2/projects/translations` and `/v2/projects/{projectId}/translations` endpoints, translation data was returned even when API key was missing `translation.view` scope. However, it was impossible to fetch the data when user was missing this scope. So this is only relevant for API keys generated by users permitted to `translation.view`. This vulnerability is fixed in v3.57.2

Reference

https://github.com/tolgee/tolgee-platform/commit/f71213925d6f80019f841db0ead9baa7488c1821
https://github.com/tolgee/tolgee-platform/security/advisories/GHSA-r95p-fqqv-fppc
https://github.com/tolgee/tolgee-platform/commit/f71213925d6f80019f841db0ead9baa7488c1821
https://github.com/tolgee/tolgee-platform/security/advisories/GHSA-r95p-fqqv-fppc

CVSS

Base:	2.7
Impact:	1.4
Exploitability:	1.2

Pristup

Vektor	Složenost	Autentikacija
NETWORK	LOW	HIGH

Impact

Povjerljivost	Cjelovitost	Dostupnost
LOW	NONE	NONE

CVSS vektor

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N

Zadnje važnije ažuriranje

11-09-2025 - 21:31

Objavljeno

18-04-2024 - 15:15