Header injection
People who can write cookie values in Zope can inject headers
Versions affected
- 3.3.6
- 3.3.5
- 3.3.4
- 3.3.3
- 3.3.2
- 3.3.1
- 3.3
Vulnerability
This allows setting of fake status messages and causing users to become logged out.
Current status
Patched
Credits
Discovered by
- Jan Pokorny from RedHat
Fixed by
- Plone Security Team
Coordinated by
- Plone Security Team