CVE-2010-2422: HTML injection in safe_html
Update: we now have an official CVE number: CVE-2010-2422
The fix is included in an update of PortalTransforms.
Alan Hoey of Team Rubber found a bug in the html filtering of all Plone versions. Users who can create content can exploit this flaw to circumvent the normal HTML filtering.
This issue has been assigned the number CVE-2010-2422.
All Plone releases since 2.1 are affected.
Installing the hotfix
Installation for Plone 2.1 - 3.1 users
To install this hotfix download and unzip the distribution and add the directory PloneHotfix20100612 to your instance products directory. If the hotfix has been successfully added you will see the following message when starting the instance in foreground mode:
2010-06-12 23:54:28 INFO PloneHotfix20100612 safe_html patched
Installation for Plone 3.2 and 3.3 users
Although this hotfix will work with any version of Plone, users of Plone 3.2 to Plone 3.3.5 should instead add the following to their buildout configuration files and re-run buildout:
[versions] Products.PortalTransforms = 1.6.12
There will be no confirmation message on start-up, so the presence of the fix can be verified by checking the version number of PortalTransforms in the Zope Control Panel.
No incidents of this vulnerability being exploited have been reported.