Date: Wed, 30 Jun 2021 20:25:34 +0200 From: Maurits van Rees <maurits@...rees.org> To: oss-security@...ts.openwall.com Subject: Plone: stored XSS in folder contents A very good day to all you lovely people! Matt Moreschi discovered a vulnerability in Plone and reported it to the security list, security@...ne.org. In Plone 5.0.0 through 5.2.4, Editors are vulnerable to XSS in the folder contents view, if a Contributor has created a folder with a SCRIPT tag in the description field. Full information is here: https://plone.org/security/hotfix/20210518/stored-xss-in-folder-contents Since we had recently created a hotfix package, we decided to include a fix in a new version, 1.5. This is available from https://pypi.org/project/Products.PloneHotfix20210518/1.5/ and https://plone.org/security/hotfix/20210518 The fix will be included in the affected package plone.app.content 3.8.8, which will be included in Plone 5.2.5, expected in July. CVE number is CVE-2021-35959: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35959 Thanks, -- Maurits van Rees https://maurits.vanrees.org/
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.