Server Side Request Forgery via lxml parser
Versions affected
- 5.2.4
- 5.2.3
- 5.2.2
- 5.2.1
- 5.2.0
- 5.1rc2
- 5.1rc1
- 5.1b4
- 5.1b3
- 5.1b2
- 5.1a2
- 5.1a1
- 5.1.7
- 5.1.6
- 5.1.5
- 5.1.4
- 5.1.2
- 5.1.1
- 5.1
- 5.0rc3
- 5.0rc2
- 5.0rc1
- 5.0.9
- 5.0.8
- 5.0.7
- 5.0.6
- 5.0.5
- 5.0.4
- 5.0.3
- 5.0.2
- 5.0.10
- 5.0.1
- 5.0
- 4.3.9
- 4.3.8
- 4.3.7
- 4.3.6
- 4.3.5
- 4.3.4
- 4.3.3
- 4.3.20
- 4.3.2
- 4.3.19
- 4.3.18
- 4.3.17
- 4.3.15
- 4.3.14
- 4.3.12
- 4.3.11
- 4.3.10
- 4.3.1
- 4.3
Vulnerability
Various code in Plone uses an lxml parser which can be tricked into showing the content of arbitrary files. This is in Diazo themes, Dexterity TTW schemas, and modeleditors.
Current status
After the initial report by MisakiKata, fixes have been released last year in plone.app.theming 4.1.6, plone.app.dexterity 2.6.8, and plone.supermodel 1.6.3, which are included in Plone 5.2.3.
Recently, David Miller showed us that the fix was incomplete.
The hotfix contains complete fixes.
Credits
Discovered by
- MisakiKata
- David Miller
Fixed by
- Plone Security Team
Coordinated by
- Plone Security Team