Header injection

People who can write cookie values in Zope can inject headers

Versions affected

  • 3.3.6
  • 3.3.5
  • 3.3.4
  • 3.3.3
  • 3.3.2
  • 3.3.1
  • 3.3

Vulnerability

This allows setting of fake status messages and causing users to become logged out.

Current status

Patched

Credits

Discovered by

  • Jan Pokorny from RedHat

Fixed by

  • Plone Security Team

Coordinated by

  • Plone Security Team