CVE-2024-32466 - Vulnerability Details - OpenCVE

Tolgee is an open-source localization platform. For the `/v2/projects/translations` and `/v2/projects/{projectId}/translations` endpoints, translation data was returned even when API key was missing `translation.view` scope. However, it was impossible to fetch the data when user was missing this scope. So this is only relevant for API keys generated by users permitted to `translation.view`. This vulnerability is fixed in v3.57.2

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00097.

Key SSVC decision points have not yet been added.

Vendors	Products
Tolgee	Tolgee

Configuration 1 [-]

cpe:2.3:a:tolgee:tolgee:*:*:*:*:*:*:*:*

No data.

No data.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://github.com/tolgee/tolgee-platform/commit/f71213925d6f80019f841db0ead9baa7488c1821
https://github.com/tolgee/tolgee-platform/security/advisories/GHSA-r95p-fqqv-fppc

History

Thu, 11 Sep 2025 21:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Tolgee Tolgee tolgee
CPEs		cpe:2.3:a:tolgee:tolgee::::::::
Vendors & Products		Tolgee Tolgee tolgee

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-04-18T15:02:43.803Z

Updated: 2024-08-02T02:13:39.097Z

Reserved: 2024-04-12T19:41:51.165Z

Link: CVE-2024-32466

Vulnrichment

Updated: 2024-08-02T02:13:39.097Z

NVD

Status : Analyzed

Published: 2024-04-18T15:15:30.300

Modified: 2025-09-11T21:31:38.727

Link: CVE-2024-32466

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-32466", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-04-12T19:41:51.165Z", "datePublished": "2024-04-18T15:02:43.803Z", "dateUpdated": "2024-08-02T02:13:39.097Z"}, "containers": {"cna": {"title": "Tolgee's API key scopes not checked when querying translation data", "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "lang": "en", "description": "CWE-862: Missing Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 2.7, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/tolgee/tolgee-platform/security/advisories/GHSA-r95p-fqqv-fppc", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/tolgee/tolgee-platform/security/advisories/GHSA-r95p-fqqv-fppc"}, {"name": "https://github.com/tolgee/tolgee-platform/commit/f71213925d6f80019f841db0ead9baa7488c1821", "tags": ["x_refsource_MISC"], "url": "https://github.com/tolgee/tolgee-platform/commit/f71213925d6f80019f841db0ead9baa7488c1821"}], "affected": [{"vendor": "tolgee", "product": "tolgee-platform", "versions": [{"version": "< 3.57.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-04-18T15:02:43.803Z"}, "descriptions": [{"lang": "en", "value": "Tolgee is an open-source localization platform. For the `/v2/projects/translations` and `/v2/projects/{projectId}/translations` endpoints, translation data was returned even when API key was missing `translation.view` scope. However, it was impossible to fetch the data when user was missing this scope. So this is only relevant for API keys generated by users permitted to `translation.view`. This vulnerability is fixed in v3.57.2\n"}], "source": {"advisory": "GHSA-r95p-fqqv-fppc", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-32466", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-07-03T15:04:29.774849Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-05T17:22:58.939Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T02:13:39.097Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/tolgee/tolgee-platform/security/advisories/GHSA-r95p-fqqv-fppc", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/tolgee/tolgee-platform/security/advisories/GHSA-r95p-fqqv-fppc"}, {"name": "https://github.com/tolgee/tolgee-platform/commit/f71213925d6f80019f841db0ead9baa7488c1821", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/tolgee/tolgee-platform/commit/f71213925d6f80019f841db0ead9baa7488c1821"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/tolgee/tolgee-platform/security/advisories/GHSA-r95p-fqqv-fppc", "name": "https://github.com/tolgee/tolgee-platform/security/advisories/GHSA-r95p-fqqv-fppc", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/tolgee/tolgee-platform/commit/f71213925d6f80019f841db0ead9baa7488c1821", "name": "https://github.com/tolgee/tolgee-platform/commit/f71213925d6f80019f841db0ead9baa7488c1821", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T02:13:39.097Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-32466", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-07-03T15:04:29.774849Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-05T15:20:44.643Z"}}], "cna": {"title": "Tolgee's API key scopes not checked when querying translation data", "source": {"advisory": "GHSA-r95p-fqqv-fppc", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 2.7, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "tolgee", "product": "tolgee-platform", "versions": [{"status": "affected", "version": "< 3.57.2"}]}], "references": [{"url": "https://github.com/tolgee/tolgee-platform/security/advisories/GHSA-r95p-fqqv-fppc", "name": "https://github.com/tolgee/tolgee-platform/security/advisories/GHSA-r95p-fqqv-fppc", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/tolgee/tolgee-platform/commit/f71213925d6f80019f841db0ead9baa7488c1821", "name": "https://github.com/tolgee/tolgee-platform/commit/f71213925d6f80019f841db0ead9baa7488c1821", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Tolgee is an open-source localization platform. For the `/v2/projects/translations` and `/v2/projects/{projectId}/translations` endpoints, translation data was returned even when API key was missing `translation.view` scope. However, it was impossible to fetch the data when user was missing this scope. So this is only relevant for API keys generated by users permitted to `translation.view`. This vulnerability is fixed in v3.57.2\n"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862: Missing Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-04-18T15:02:43.803Z"}}}, "cveMetadata": {"cveId": "CVE-2024-32466", "state": "PUBLISHED", "dateUpdated": "2024-08-02T02:13:39.097Z", "dateReserved": "2024-04-12T19:41:51.165Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-04-18T15:02:43.803Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:tolgee:tolgee:*:*:*:*:*:*:*:*", "matchCriteriaId": "4A281189-0C91-4BFB-9949-0107D7A74D48", "versionEndExcluding": "3.57.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Tolgee is an open-source localization platform. For the `/v2/projects/translations` and `/v2/projects/{projectId}/translations` endpoints, translation data was returned even when API key was missing `translation.view` scope. However, it was impossible to fetch the data when user was missing this scope. So this is only relevant for API keys generated by users permitted to `translation.view`. This vulnerability is fixed in v3.57.2\n"}, {"lang": "es", "value": "Tolgee es una plataforma de localizaci\u00f3n de c\u00f3digo abierto. Para los endpoints `/v2/projects/translations` y `/v2/projects/{projectId}/translations`, se devolvieron datos de traducci\u00f3n incluso cuando a la clave API le faltaba el alcance `translation.view`. Sin embargo, fue imposible recuperar los datos cuando al usuario le faltaba este alcance. Por lo tanto, esto solo es relevante para las claves API generadas por usuarios autorizados a `translation.view`. Esta vulnerabilidad est\u00e1 solucionada en v3.57.2"}], "id": "CVE-2024-32466", "lastModified": "2025-09-11T21:31:38.727", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 2.7, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-04-18T15:15:30.300", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/tolgee/tolgee-platform/commit/f71213925d6f80019f841db0ead9baa7488c1821"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/tolgee/tolgee-platform/security/advisories/GHSA-r95p-fqqv-fppc"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/tolgee/tolgee-platform/commit/f71213925d6f80019f841db0ead9baa7488c1821"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://github.com/tolgee/tolgee-platform/security/advisories/GHSA-r95p-fqqv-fppc"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security-advisories@github.com", "type": "Secondary"}]}