Reflexive XSS in Zope

Summary:

Reflexive XSS in Zope

Vulnerability type:
XSS
Details:
A reflexive XSS vulnerability in Zope that allows arbitrary HTML to be included following an Image tag. This is only possible if Zope image objects have been added to the instance and their path is known. Plone image objects are unaffected. Fixed in: https://github.com/zopefoundation/Zope/commit/85d2a5f1e6f46c40d32b832a4dca111074a9484b
Current status:
Patched
Date reported:
Jan 23, 2013
Date patched:
Dec 10, 2013
Reported by:
Richard Mitchell, of the Plone Security Team
Fixed by:
Matthew Wilkes, of the Zope Security Team
Coordinated by:
Plone Security Team
CVE Identifier:
CVE-2013-7062
Affected Plone versions:
4.3.2, 4.3.1, 4.3, 4.2.7, 4.2.6, 4.2.5, 4.2.4, 4.2.3, 4.2.2, 4.2.1, 4.2, 4.1.6, 4.1.5, 4.1.4, 4.1.3, 4.1.2, 4.1.1, 4.1, 4.0.10, 4.0.9, 4.0.8, 4.0.7, 4.0.5, 4.0.4, 4.0.3, 4.0.2, 4.0.1, 4.0, 3.3.6, 3.3.5, 3.3.4, 3.3.3, 3.3.2, 3.3.1, 3.3

CVSS Scoring

Access Vector:
Network
Access Complexity:
Medium
Authentication:
None
Confidentiality Impact:
None
Integrity Impact:
Partial
Availability Impact:
None
;
This site uses cookies
For this website we use cookies for anonymous analytics gathering and show external content. You can also enable third parties independently.