20220128

Security fix for image_view_fullscreen: cache poisoning

Available downloads

Plone affected versions

  • 6.0.0a2
  • 6.0.0a1
  • 5.2.6
  • 5.2.5
  • 5.2.4
  • 5.2.3
  • 5.2.2
  • 5.2.1
  • 5.2.0
  • 5.1.7
  • 5.1.6
  • 5.1.5
  • 5.1.4
  • 5.1.2
  • 5.1.1
  • 5.1
  • 5.1rc2
  • 5.1rc1
  • 5.1b4
  • 5.1b3
  • 5.1b2
  • 5.1a2
  • 5.1a1
  • 5.0.10
  • 5.0.9
  • 5.0.8
  • 5.0.7
  • 5.0.6
  • 5.0.5
  • 5.0.4
  • 5.0.3
  • 5.0.2
  • 5.0.1
  • 5.0
  • 5.0rc3
  • 5.0rc2
  • 5.0rc1
  • 4.3.20
  • 4.3.19
  • 4.3.18
  • 4.3.17
  • 4.3.15
  • 4.3.14
  • 4.3.12
  • 4.3.11
  • 4.3.10
  • 4.3.9
  • 4.3.8
  • 4.3.7
  • 4.3.6
  • 4.3.5
  • 4.3.4
  • 4.3.3
  • 4.3.2
  • 4.3.1
  • 4.3

Release Notes

See also announcement on GitHub and community.plone.org.

CVE numbers: CVE-2022-23599.

Versions Affected: All supported Plone versions (4.3.20 and any earlier 4.3.x version, 5.2.6 and any earlier 5.x version, 6.0.0a2 and any earlier 6.0.0 version).

Versions Not Affected: None.

Nature of vulnerabilities: Cache poisoning, which can be abused for cross site scripting and open redirect.

Thank you to Gustav Hansen, F-Secure Consulting, who contacted the Plone security team to report problems!

Version support: There are updated packages for Plone 5.2 and 6.0. On other versions, a workaround is available. You can also update to Plone 5.2.7 or 6.0.0a3, which contain the fixes by default.

Note: there is no hotfix package available. The vulnerability is in a Page Template. This makes it our usual hotfix package approach not usable.

Installation instructions

Backup First!

It is prudent to backup all your data and installation files before installing any Plone add-on, including this hotfix.  If you already have a solid Plone backup routine in place, then you can skip this step and proceed.

If you don't already have a backup of your Plone site, the simplest way to back up your Plone instance is to simply copy your entire Zope instance folder or buildout folder to a secure location.

Installing with Buildout


1) Find your buildout.cfg file, typically located in the "zinstance" subdirectory of your Plone installation directory. (If you're using ZEO clients, the subdirectory may be called "zeoserver").

2) Open your buildout.cfg file in your text editor. 

3) Scroll down to the "versions" section of the buildout and add updated versions:

For Plone 5.2:

[versions]
plone.app.contenttypes = 2.2.3 Products.ATContentTypes = 3.0.6

You may not be using Products.ATContentTypes, certainly not on Python 3, but it does not hurt to have an extra version pin.

For Plone 6.0:

[versions]
plone.app.contenttypes = 3.0.0a9

4) Rerun buildout.

On Mac or Linux, the command is:

$ ./bin/buildout -Nv

On windows, the command is:

> bin\buildout.exe -Nv

5) Restart your Zope instance.

On Mac or Linux, the command is:

$ ./bin/instance start

On Windows, the command is:

> bin\instance.exe start

Alternatively, on Windows, you may restart the Zope service via the Windows Services control panel.

If you're using ZEO clients, change instance to client1, client2, etc., in the above commands.


Issues fixed