XSS in the title field on plone 5.0 and higher.
Versions affected
- 5.2.1
- 5.2.0
- 5.1.6
- 5.1.5
- 5.1.4
- 5.1.2
- 5.1.1
- 5.1
- 5.1rc2
- 5.1rc1
- 5.1b4
- 5.1b3
- 5.1b2
- 5.1a2
- 5.1a1
- 5.0.10
- 5.0.9
- 5.0.8
- 5.0.7
- 5.0.6
- 5.0.5
- 5.0.4
- 5.0.3
- 5.0.2
- 5.0.1
- 5.0
- 5.0rc3
- 5.0rc2
- 5.0rc1
Vulnerability
A user with Editor or Contributor permissions can create a Folder and put JavaScript in the title. In most places this JavaScript is escaped to be harmless. But in Plone 5.2 it may end up unescaped in the global navigation. And in Plone 5.0 and higher it may end up unescaped in the breadcrumbs of the folder contents page.
Current status
Patched
Credits
Discovered by
- Marcos Valle
Fixed by
- Plone Security Team
Coordinated by
- Plone Security Team