Reflexive XSS in Zope

by matthewwilkes — published 2013/12/10 14:48:00 GMT+0, last modified 2016-08-30T16:38:00+00:00
Reflexive XSS in Zope

Versions affected

  • 4.3.2
  • 4.3.1
  • 4.3
  • 4.2.7
  • 4.2.6
  • 4.2.5
  • 4.2.4
  • 4.2.3
  • 4.2.2
  • 4.2.1
  • 4.2
  • 4.1.6
  • 4.1.5
  • 4.1.4
  • 4.1.3
  • 4.1.2
  • 4.1.1
  • 4.1
  • 4.0.10
  • 4.0.9
  • 4.0.8
  • 4.0.7
  • 4.0.5
  • 4.0.4
  • 4.0.3
  • 4.0.2
  • 4.0.1
  • 4.0
  • 3.3.6
  • 3.3.5
  • 3.3.4
  • 3.3.3
  • 3.3.2
  • 3.3.1
  • 3.3

Vulnerability

Zope's session infrastructure includes a method for encoding URLs, which is accessible through the web. By passing HTML into this method a reflexive XSS attack can be achieved. Fixed in: https://github.com/zopefoundation/Zope/commit/90360c444fae8fd2b8b7d3250743d4bbb2f82baf

Current status

Patched

Credits

Discovered by

  • Richard Mitchell, of the Plone Security Team

Fixed by

  • Matthew Wilkes, of the Zope Security Team

Coordinated by

  • Plone Security Team