Persistent XSS

This is a persistent cross-site scripting (XSS) attack. It allows a user to craft markup that bypasses Plone's safe_html filter to insert and save arbitrary HTML with malicious content.

Versions affected

  • 4.0.5
  • 4.0.4
  • 4.0.3
  • 4.0.2
  • 4.0.1
  • 4.0
  • 3.3.5
  • 3.3.4
  • 3.3.3
  • 3.3.2

Vulnerability

Current status

Credits

Discovered by

  • Daniel Berlin (Google)
  • Dan Bentley (Google)
  • Brian Peters (Independent)

Fixed by

  • Plone Security Team

Coordinated by

  • Plone Security Team