Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Date: Wed, 30 Jun 2021 20:25:34 +0200
From: Maurits van Rees <maurits@...rees.org>
To: oss-security@...ts.openwall.com
Subject: Plone: stored XSS in folder contents

A very good day to all you lovely people!

Matt Moreschi discovered a vulnerability in Plone and reported it to the 
security list, security@...ne.org.
In Plone 5.0.0 through 5.2.4, Editors are vulnerable to XSS in the 
folder contents view, if a Contributor has created a folder with a 
SCRIPT tag in the description field.
Full information is here: 
https://plone.org/security/hotfix/20210518/stored-xss-in-folder-contents
Since we had recently created a hotfix package, we decided to include a 
fix in a new version, 1.5.
This is available from 
https://pypi.org/project/Products.PloneHotfix20210518/1.5/ and 
https://plone.org/security/hotfix/20210518
The fix will be included in the affected package plone.app.content 
3.8.8, which will be included in Plone 5.2.5, expected in July.

CVE number is CVE-2021-35959:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35959

Thanks,

-- 
Maurits van Rees https://maurits.vanrees.org/

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.