Server Side Request Forgery via event ical URL

Versions affected

  • 5.2.4
  • 5.2.3
  • 5.2.2
  • 5.2.1
  • 5.2.0
  • 5.1rc2
  • 5.1rc1
  • 5.1b4
  • 5.1b3
  • 5.1b2
  • 5.1a2
  • 5.1a1
  • 5.1.7
  • 5.1.6
  • 5.1.5
  • 5.1.4
  • 5.1.2
  • 5.1.1
  • 5.1
  • 5.0rc3
  • 5.0rc2
  • 5.0rc1
  • 5.0.9
  • 5.0.8
  • 5.0.7
  • 5.0.6
  • 5.0.5
  • 5.0.4
  • 5.0.3
  • 5.0.2
  • 5.0.10
  • 5.0.1
  • 5.0

Vulnerability

By using a file URL in the form for importing a calendar, you could trick Plone to try to load a file from the server. Mostly likely this would fail, because the most files do not have the ical format. But someone with the Manager role would see an error with the contents of one line of the file.

Current status

Partially fixed in plone.app.event 3.2.10 after the first report by MisakiKata, but recently David Miller showed that our fix was incomplete. The hotfix contains a complete fix.

Credits

Discovered by

  • MisakiKata
  • David Miller

Fixed by

  • Plone Security Team

Coordinated by

  • Plone Security Team