CVE-2023-38510

Name of the Vulnerable Software and Affected Versions Tolgee versions 3.14.0 through 3.23.1

Description Tolgee is an open-source localization platform. When a request is made using an API key, the backend fails to verify the permission scopes associated with the key, effectively bypassing permission checks entirely for some endpoints. This issue only affects projects that have inadvertently exposed their API keys on the internet. Projects that have kept their API keys secure are not impacted.

Recommendations For versions 3.14.0 through 3.23.1, update to version 3.23.1 to resolve the issue. As a temporary workaround, consider restricting access to API endpoints that use API keys until the update is applied. Additionally, ensure that API keys are kept secure and not exposed on the internet to minimize the risk of exploitation.