Public Weblate bug reports.

Team Bounty Title
Weblate - [debian.weblate.org]-Missing SPF Record
Weblate - Password token validation in Weblate Bypass #2
Weblate - Password token validation in Weblate Bypass
Weblate - Error Message When Changing Username
Weblate - Improper validation of unicode characters #3
Weblate - No Rate Limitation on Regenerate Api Key
Weblate - Previous password could set as new password
Weblate - Improper validation of unicode characters still not fixed #2
Weblate - The username of an account can be ..
Weblate - Reset password more than once with a reset link
Weblate - No filteration of null characters in name field
Weblate - Improper validation of unicode characters
Weblate - Persistence of Third Party Association.
Weblate - Full Name Overwrite on Third party login
Weblate - Improper validation of unicode characters still not fixed
Weblate - Open redirect while disconnecting Email
Weblate - API Does Not Apply Access Controls to Translations
Weblate - Uploaded XLF files result in External Entity Execution
Weblate - Improper Cookie expiration | Cookies Expiration Set to Future
Weblate - CSP "script-src" includes "unsafe-inline" in weblate.org and demo.weblate.org
Weblate - CSRF bypass ( Delate Source Translation From dictionaries ) in demo.weblate.org
Weblate - Weblate |Security Misconfiguration| Method Enumeration Possible on domain
Weblate - Weblate- Banner Grabbing-Ngnix Server version
Weblate - Option method enabled
Weblate - Takeover of an account via reset password options after removing the account
Weblate - Password token validation in https://demo.weblate.org/
Weblate - Password Restriction
Weblate - No notificatoin sent on email after account deletion.
Weblate - Adding Email lacks Password validation
Weblate - Rate Limit Issue on hosted.weblate.org
Weblate - Missing restriction on string size
Weblate - Self-XSS can be achieved in the editor link using filter bypass
Weblate - Information Disclosure on demo.weblate.org
Weblate - Captcha bypass at registration
Weblate - Old password can be new password
Weblate - Captcha Bypass at Email Reset can lead to Spamming users.
Weblate - Login CSRF : Login Authentication Flaw
Weblate - No Rate Limiting at /contact
Weblate - Improper validation of unicode characters
Weblate - Design Flaw in session management of password reset
Weblate - Csrf in watch-unwatch projects
Weblate - Missing filteration of meta characters in full name field on registration page https://demo.weblate.org/accounts/register
Weblate - Facebook share URL should be HTTPS
Weblate - 7BO: Binary Option Robot URL should be HTTPS
Weblate - Account Takeover using Third party Auth CSRF
Weblate - ClickJacking on Debug
Weblate - Incorrect HTTPS Certificate
Weblate - full path disclosure at hosted.weblate.org/admin/accounts/profile/
Weblate - CSRF to Connect third party Account
Weblate - Weak password policy
Weblate - Rate Limit Bypass on login Page
Weblate - session id missing secure flag - Hosted Website
Weblate - Invalidate session after password reset - hosted website
Weblate - Bypassing captcha in registration on Hosted site
Weblate - Open redirect while disconnecting authenticated account
Weblate - CSV Injection with the CVS export feature - Glossary
Weblate - Email verification over an unencrypted channel
Weblate - Email spoofing at weblate.org
Weblate - Running 2 accounts with a single email
Weblate - Specify maximal length in translation
Weblate - HttpOnly Flag not set
Weblate - CSV export filter bypass leads to formula injection.
Weblate - Specify maximal length in new comment
Weblate - No Password Length Restriction leads to Denial of Service
Weblate - Setting a password with a single character
Weblate - Access to completion page without performing any action
Weblate - weblate.org: X-XSS-Protection not enabled
Weblate - Open redirect in Signing in via Social Sites
Weblate - No Rate Limitting at Change Password
Weblate - Self XSS at translation page through Editor Link at demo.weblate.org
Weblate - demo.weblate.org is vulnerable to SWEET32 Vulnerability
Weblate - [hosted.weblate.org]Account Takeover
Weblate - Content Spoofing
Weblate - Null Password - Setting a new password doesn't check for empty spaces
Weblate - Notify user about password change
Weblate - Abuse of Api that causes spamming users and possible DOS due to missing rate limit
Weblate - Missing DMARC on weblate.org
Weblate - Abuse of Api that causes spamming users and possible DOS due to missing rate limit on contact form
Weblate - User Enumeration when adding email to account
Weblate - Spamming any user from Reset Password Function
Weblate - Existing sessions valid after removing third party auth
Weblate - Weak e-mail change functionality could lead to account takeover
Weblate - Content Spoofing in error message
Weblate - Missing restriction on string size of Full Name at https://demo.weblate.org/accounts/register/
Weblate - Open SMTP port can let anyone send email from mail.chihar.com
Weblate - Improper access control when an added email address is deleted from authentication
Weblate - Content Spoofing
Weblate - Login using disconnected google account i.e login using old email id
Weblate - hosted.weblate.org: X-XSS-Protection not enabled
Weblate - Clickjacking docs.weblate.org
Weblate - Directory Listing
Weblate - You can simply just use passwords that simply are as 123456
Weblate - CSRF - Changing the full name / adding a secondary email identity of an account via a GET request
Weblate - Improper Password Reset Policy on https://hosted.weblate.org/
Weblate - Insecure Account Removal
Weblate - Web server is vulnerable to Beast Attack
Weblate - CSRF : Lock and Unlock Translation
Weblate - CSV Injection with the CSV export feature
Weblate - Already Registered Email Disclosure
Weblate - Activation tokens are not expiring
Weblate - No BruteForce Protection
Weblate - CSRF : Reset API
Weblate - [demo.weblate.org] Stored Self-XSS via Editor Link in Profile
Weblate - Logout CSRF
Weblate - No expiration of session ID after Password change
Weblate - Open Redirect via "next" parameter in third-party authentication
Weblate - Registration captcha bypass