Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 26 Feb 2015 10:38:20 -0700
From: Kurt Seifried <>
To: "" <>,
        " >> Tres Seaver" <>,,,
        Assign a CVE Identifier <>
Subject: XSS In Zope

So originally Radek Steoger of Red Hat found an XSS in luci/conga:

Within luci's use of Products.PluggableAuthService there appears to be
an XSS, e.g.:'1234')%3C/script%3E

this was tracked down to being in Products.PluggableAuthService (a
component of Zope).

I notified the Zope security people, they tracked it down on their end,
this was actually found/fixed in 2009:

and the fix was forward ported from the 2.10 branch, as well as to the
2.11 branch and the trunk. The fix landed in:
  Zope 2.10.10
  Zope 2.11.5
  Zope 2.12.2

With thanks to Tres, Matt and Nathan for sorting this out/chasing it
down on Zope's end (basically they did all the heavy lifting).

So this should probably get a CVE from 2009.

Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ