Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 30 Jun 2021 20:25:34 +0200
From: Maurits van Rees <>
Subject: Plone: stored XSS in folder contents

A very good day to all you lovely people!

Matt Moreschi discovered a vulnerability in Plone and reported it to the 
security list,
In Plone 5.0.0 through 5.2.4, Editors are vulnerable to XSS in the 
folder contents view, if a Contributor has created a folder with a 
SCRIPT tag in the description field.
Full information is here:
Since we had recently created a hotfix package, we decided to include a 
fix in a new version, 1.5.
This is available from and
The fix will be included in the affected package 
3.8.8, which will be included in Plone 5.2.5, expected in July.

CVE number is CVE-2021-35959:


Maurits van Rees

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.