XSS in the title field on plone 5.0 and higher.

Versions affected

  • 5.2.1
  • 5.2.0
  • 5.1.6
  • 5.1.5
  • 5.1.4
  • 5.1.2
  • 5.1.1
  • 5.1
  • 5.1rc2
  • 5.1rc1
  • 5.1b4
  • 5.1b3
  • 5.1b2
  • 5.1a2
  • 5.1a1
  • 5.0.10
  • 5.0.9
  • 5.0.8
  • 5.0.7
  • 5.0.6
  • 5.0.5
  • 5.0.4
  • 5.0.3
  • 5.0.2
  • 5.0.1
  • 5.0
  • 5.0rc3
  • 5.0rc2
  • 5.0rc1

Vulnerability

A user with Editor or Contributor permissions can create a Folder and put JavaScript in the title. In most places this JavaScript is escaped to be harmless. But in Plone 5.2 it may end up unescaped in the global navigation. And in Plone 5.0 and higher it may end up unescaped in the breadcrumbs of the folder contents page.

Current status

Patched

Credits

Discovered by

  • Marcos Valle

Fixed by

  • Plone Security Team

Coordinated by

  • Plone Security Team