Non-Persistent XSS in Zope2
Non-Persistent XSS in Zope2
Versions affected
- 5.1a2
- 5.1a1
- 5.0.6
- 5.0.5
- 5.0.4
- 5.0.3
- 5.0.2
- 5.0.1
- 5.0
- 5.0rc3
- 5.0rc2
- 5.0rc1
- 4.3.11
- 4.3.10
- 4.3.9
- 4.3.8
- 4.3.7
- 4.3.6
- 4.3.5
- 4.3.4
- 4.3.3
- 4.3.2
- 4.3.1
- 4.3
- 4.2.7
- 4.2.6
- 4.2.5
- 4.2.4
- 4.2.3
- 4.2.2
- 4.2.1
- 4.2
- 4.1.6
- 4.1.5
- 4.1.4
- 4.1.3
- 4.1.2
- 4.1.1
- 4.1
- 4.0.10
- 4.0.9
- 4.0.8
- 4.0.7
- 4.0.5
- 4.0.4
- 4.0.3
- 4.0.2
- 4.0.1
- 4.0
- 3.3.6
- 3.3.5
- 3.3.4
- 3.3.3
- 3.3.2
- 3.3.1
- 3.3
- 2.5.5
Vulnerability
A reflected Cross Site Scripting attack (XSS) in the ZMI (`manage_findResult`). You may already be blocking access to `manage` pages in a web server like nginx or Apache. In that case, this part of the hotfix is fine, but is not relevant.
Current status
Patched
Credits
Discovered by
- Tim Coen of Curesec
Fixed by
- Plone Security Team
Coordinated by
- Plone Security Team