XSS in the title field on plone 5.0 and higher.

by Maurits van Rees published 2020/01/21 15:36:00 GMT+0, last modified 2020-01-24T15:18:24+00:00

Versions affected

  • 5.2.1
  • 5.2.0
  • 5.1.6
  • 5.1.5
  • 5.1.4
  • 5.1.2
  • 5.1.1
  • 5.1
  • 5.1rc2
  • 5.1rc1
  • 5.1b4
  • 5.1b3
  • 5.1b2
  • 5.1a2
  • 5.1a1
  • 5.0.10
  • 5.0.9
  • 5.0.8
  • 5.0.7
  • 5.0.6
  • 5.0.5
  • 5.0.4
  • 5.0.3
  • 5.0.2
  • 5.0.1
  • 5.0
  • 5.0rc3
  • 5.0rc2
  • 5.0rc1

Vulnerability

A user with Editor or Contributor permissions can create a Folder and put JavaScript in the title. In most places this JavaScript is escaped to be harmless. But in Plone 5.2 it may end up unescaped in the global navigation. And in Plone 5.0 and higher it may end up unescaped in the breadcrumbs of the folder contents page.

Current status

Patched

Credits

Discovered by

  • Marcos Valle

Fixed by

  • Plone Security Team

Coordinated by

  • Plone Security Team