Reflected XSS in various spots
Versions affected
- 5.2.4
- 5.2.3
- 5.2.2
- 5.2.1
- 5.2.0
- 5.1rc2
- 5.1rc1
- 5.1b4
- 5.1b3
- 5.1b2
- 5.1a2
- 5.1a1
- 5.1.7
- 5.1.6
- 5.1.5
- 5.1.4
- 5.1.2
- 5.1.1
- 5.1
- 5.0rc3
- 5.0rc2
- 5.0rc1
- 5.0.9
- 5.0.8
- 5.0.7
- 5.0.6
- 5.0.5
- 5.0.4
- 5.0.3
- 5.0.2
- 5.0.10
- 5.0.1
- 5.0
- 4.3.9
- 4.3.8
- 4.3.7
- 4.3.6
- 4.3.5
- 4.3.4
- 4.3.3
- 4.3.20
- 4.3.2
- 4.3.19
- 4.3.18
- 4.3.17
- 4.3.15
- 4.3.14
- 4.3.12
- 4.3.11
- 4.3.10
- 4.3.1
- 4.3
Vulnerability
Various URLs in Zope and Plone could be used to return script code. This in itself does not do anything, but it can be used load javascript on other pages.
Related, some security fixes in CMFPlone from Products.PloneHotfix20160419 were not active in Python 3.
Current status
The Zope part is already fixed and released in Products.CMFCore 2.5.1 and Products.PluggableAuthService 2.6.2. The hotfix back ports these upstream fixes to older versions.
The Plone part is hotfixed.
Credits
Discovered by
- Calum Hutton
- Plone Security Team
Fixed by
- Plone Security Team
Coordinated by
- Plone Security Team