XSS vulnerability in CMFDiffTool
Versions affected
- 5.2.4
- 5.2.3
- 5.2.2
- 5.2.1
- 5.2.0
- 5.1rc2
- 5.1rc1
- 5.1b4
- 5.1b3
- 5.1b2
- 5.1a2
- 5.1a1
- 5.1.7
- 5.1.6
- 5.1.5
- 5.1.4
- 5.1.2
- 5.1.1
- 5.1
- 5.0rc3
- 5.0rc2
- 5.0rc1
- 5.0.9
- 5.0.8
- 5.0.7
- 5.0.6
- 5.0.5
- 5.0.4
- 5.0.3
- 5.0.2
- 5.0.10
- 5.0.1
- 5.0
- 4.3.9
- 4.3.8
- 4.3.7
- 4.3.6
- 4.3.5
- 4.3.4
- 4.3.3
- 4.3.20
- 4.3.2
- 4.3.19
- 4.3.18
- 4.3.17
- 4.3.15
- 4.3.14
- 4.3.12
- 4.3.11
- 4.3.10
- 4.3.1
- 4.3
Vulnerability
When editing content items, a history of previous versions can be kept. The tool that is used to show the differences between two versions may be tricked into showing script tags unescaped, which are then executed.
Current status
Hotfixed. We override the inline_diff method of various classes in Products.CMFDiffTool. For these methods you get a patched version of the code from version 3.3.2. This may contain more fixes or features than are available in the version that your site currently uses. Care has been taken that this should work for all CMFDiffTool versions that are used officially in Plone 4.3.0 or higher.
Credits
Discovered by
- Igor Margitich
Fixed by
- Plone Security Team
Coordinated by
- Plone Security Team