Zee99Y

**Name of the Vulnerable Software and Affected Versions** Weblate versions prior to 1.17.0 **Description** The Weblate command-line client, `wlc`, which utilizes Weblate's REST API, had a flaw where SSL verification was bypassed for specific, manipulated URLs. This could potentially allow for man-in-the-middle attacks. The issue was addressed in version 1.17.0. The vulnerable component interacts with Weblate's REST API endpoints. **Recommendations** Update to version 1.17.0 or later.

**Name of the Vulnerable Software and Affected Versions** wlc versions prior to 1.17.0 **Description** wlc, a Weblate command-line client utilizing Weblate’s REST API, permitted the use of unscoped API keys in its settings before version 1.17.0. Although discouraged, the functionality was not removed, potentially leading to API key leakage to various servers. **Recommendations** Update to version 1.17.0 or later.

**Name of the Vulnerable Software and Affected Versions** Weblate wlc versions prior to 1.17.2 **Description** The Weblate command-line client (wlc), which uses Weblate's REST API, is susceptible to an arbitrary file write issue. A crafted server can instruct the multi-translation download functionality to write files to an unintended location. This is due to unsanitized API slugs. The issue allows a malicious or compromised Weblate server to write arbitrary files to the client system. The vulnerability is related to the `wlc download` command. **Recommendations** Versions prior to 1.17.2 should be updated to version 1.17.2. As a workaround, avoid using the `wlc download` command with untrusted servers.