Server Side Request Forgery via event ical URL
Versions affected
- 5.2.4
- 5.2.3
- 5.2.2
- 5.2.1
- 5.2.0
- 5.1rc2
- 5.1rc1
- 5.1b4
- 5.1b3
- 5.1b2
- 5.1a2
- 5.1a1
- 5.1.7
- 5.1.6
- 5.1.5
- 5.1.4
- 5.1.2
- 5.1.1
- 5.1
- 5.0rc3
- 5.0rc2
- 5.0rc1
- 5.0.9
- 5.0.8
- 5.0.7
- 5.0.6
- 5.0.5
- 5.0.4
- 5.0.3
- 5.0.2
- 5.0.10
- 5.0.1
- 5.0
Vulnerability
By using a file URL in the form for importing a calendar, you could trick Plone to try to load a file from the server. Mostly likely this would fail, because the most files do not have the ical format. But someone with the Manager role would see an error with the contents of one line of the file.
Current status
Partially fixed in plone.app.event 3.2.10 after the first report by MisakiKata, but recently David Miller showed that our fix was incomplete.
The hotfix contains a complete fix.
Credits
Discovered by
- MisakiKata
- David Miller
Fixed by
- Plone Security Team
Coordinated by
- Plone Security Team