eea.facetednavigation vulnerability requires immediate upgrade

A medium severity vulnerability in the popular add-on product EEA Faceted Navigation.

eea.facetednavigation, a widely used add-on for the Plone Content Management System, has been discovered to have a vulnerability that allows an anonymous attacker to execute arbitrary JavaScript code on pages where eea.facetednavigation is enabled.

Installations of Plone that do not include the eea.facetednavigation add-on are not affected by this vulnerability.

The vulnerability is present in all versions of eea.facetednavigation. Users should immediately upgrade to eea.facetednavigation version 6.7 that has been released today to the Plone and Python package repositories.

If at any reason you can not upgrade eea.facetednavigation to the latest version you can easily patch your server by adding the following JavaScript hotfix via ZMI:

  1. Upload the javascript patch to /portal_skins/custom/EEAFacetedNavigationHotFix.js
  2. Include this JS file within /portal_javascripts/manage_jsForm

Help for installing the upgrade is available on the #plone IRC channel and forums.

Upgrading an already installed package requires you to specify the new version number in your buildout configuration file and run buildout to update your configuration.

For security researchers

No CVE has been assigned to this vulnerability as yet.

This is a severity 4.3 vulnerability (AV:N/AC:M/Au:N/C:P/I:N/A:N) that allows remote javascript execution using a reflective XSS attack.

Credit for discovery and patching goes to Eau de Web s.r.l.