Jan Cizmar

4 exploits Active since Jul 2023
CVE-2026-32251 WRITEUP MEDIUM WRITEUP
Tolgee < 3.166.3 - XML External Entity Injection in Resource Import
Tolgee is an open-source localization platform. Prior to 3.166.3, the XML parsers used for importing Android XML resources (.xml) and .resx files don't disable external entity processing. An authenticated user who can import translation files into a project can exploit this to read arbitrary files from the server and make server-side requests to internal services. This vulnerability is fixed in 3.166.3.
CVSS 6.5
CVE-2023-38510 WRITEUP HIGH WRITEUP
Tolgee 3.14.0-3.23.0 - Missing Authorization via API Key Permission Bypass
Tolgee is an open-source localization platform. Starting in version 3.14.0 and prior to version 3.23.1, when a request is made using an API key, the backend fails to verify the permission scopes associated with the key, effectively bypassing permission checks entirely for some endpoints. It's important to note that this vulnerability only affects projects that have inadvertently exposed their API keys on the internet. Projects that have kept their API keys secure are not impacted. This issue is fixed in version 3.23.1.
CVSS 8.1
CVE-2024-32466 WRITEUP LOW WRITEUP
Tolgee < 3.57.2 - Missing Authorization for Translation Data via API Endpoints
Tolgee is an open-source localization platform. For the `/v2/projects/translations` and `/v2/projects/{projectId}/translations` endpoints, translation data was returned even when API key was missing `translation.view` scope. However, it was impossible to fetch the data when user was missing this scope. So this is only relevant for API keys generated by users permitted to `translation.view`. This vulnerability is fixed in v3.57.2
CVSS 2.7
CVE-2024-32470 WRITEUP MEDIUM WRITEUP
Tolgee 3.57.2-3.57.4 - Incorrect Authorization via Admin API Key
Tolgee is an open-source localization platform. When API key created by admin user is used it bypasses the permission check at all. This error was introduced in v3.57.2 and immediately fixed in v3.57.4.
CVSS 6.5