Plone Security Advisory 20230921

Various vulnerabilities in Plone and Zope have been reported and fixed. They affect all supported Plone versions: 5.2 and 6.0. Older unsupported Plone versions are likely also affected.

There will be no hotfix package for these: you should update the version pins of individual packages. See this post about why we do less hotfix packages.

Denial of service

In plone.rest when the ++api++ traverser is accidentally used multiple times in a url, handling it takes increasingly longer, making the server less responsive.

Security advisory: CVE-2023-42457.

Stored XSS

There is a stored cross site scripting vulnerability for SVG images. A security hotfix from 2021 already partially fixed this, by making sure SVG images are always downloaded instead of shown inline. But the same problem still exists for scales of SVG images. And it exists for user portraits, both in Volto and ClassicUI.

Technically, ClassicUI is not vulnerable for the user portrait part, because you cannot upload an SVG as user portrait. But in Volto you can, so you may be able to access a vulnerable url in the backend anyway.

Note that a page that uses an image tag with an SVG image as source is never vulnerable, even when the SVG image contains malicious code. To exploit the vulnerability, an attacker would first need to upload a malicious SVG image, and then trick a user into following a specially crafted link.

Fixes are needed in three packages. We link to the security advisories:

Information disclosure and sandbox escape

Earlier this month, new Zope releases were made, which included security releases of AccessControl and RestrictedPython . See the community announcement.

Fixed Plone versions

All needed packages are included in Plone 5.2.14 and Plone 6.0.7.

Package versions

If you cannot or do not want to upgrade your entire Plone version, you can upgrade individual package versions. Fixes are available in these versions:

AccessControl = 4.4, 5.8, 6.2
RestrictedPython = 5.4, 6.2
plone.namedfile = 5.6.1, 6.0.3, 6.1.3, 6.2.1
plone.rest = 2.0.1, 3.0.1
plone.restapi = 8.43.4
Zope = 4.8.10, 5.8.5

If you are using Buildout, then for the Zope, AccessControl and RestrictedPython versions it is best to update the [buildout] extends lines to include the following.

So which versions of these packages should you use on which Plone version?

To avoid surprises, you should use the version that is closest to the version you are already using. If you use the default versions, the following should help. Below version lists use the Buildout notation with a single equals sign (=). If you use a pip constraints file, you should use a double equals sign.

Plone 5.2

AccessControl = 4.4
plone.namedfile = 5.6.1
RestrictedPython = 5.4
Zope = 4.8.10

If you run Plone 5.2 on Python 3, and you are already using plone.restapi 8, then you can additionally use:

plone.restapi = 8.43.4

Plone 6.0.0/6.0.1

AccessControl = 5.8
plone.namedfile = 6.0.3
plone.rest = 2.0.1
plone.restapi = 8.43.4
RestrictedPython = 6.2
Zope = 5.8.5

Plone 6.0.2

AccessControl = 5.8
plone.namedfile = 6.0.3
plone.rest = 3.0.1
plone.restapi = 8.43.4
RestrictedPython = 6.2
Zope = 5.8.5

Plone 6.0.3/6.0.4

AccessControl = 6.2
plone.namedfile = 6.0.3
plone.rest = 3.0.1
plone.restapi = 8.43.4
RestrictedPython = 6.2
Zope = 5.8.5

Plone 6.0.5/6.0.6

AccessControl = 6.2
plone.namedfile = 6.1.3
plone.rest = 3.0.1
plone.restapi = 8.43.4
RestrictedPython = 6.2
Zope = 5.8.5

If you are having problems with the installation, or see regressions, please make a post in this thread, and anyone can help you.

If you see further security problems, please mail the Plone/Zope Security Team.