Описание
Products.CMFPlone XSS in profile home_page property
A member of the Plone site could set javascript in the home_page property of their profile, and have this executed when a visitor clicks the home page link on the author page.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2017-1000482
- https://github.com/plone/Products.CMFPlone/issues/2232
- https://github.com/plone/Products.CMFPlone/pull/2233
- https://github.com/plone/Products.CMFPlone/pull/2234
- https://github.com/plone/Products.CMFPlone/pull/2235
- https://github.com/plone/Products.CMFPlone/pull/2236
- https://github.com/plone/Products.CMFPlone/commit/05a943ecbcdda56bacc93b55c9e2e908d8a7dfab
- https://github.com/plone/Products.CMFPlone/commit/0e50e1e67ea3b6d3187f78cb1a1628081f654d3b
- https://github.com/plone/Products.CMFPlone/commit/236b62b756ff46a92783b3897e717dfb15eb07d8
- https://github.com/plone/Products.CMFPlone/commit/7db5b2c8fb684055987b8c4fdedc29289bd26373
- https://github.com/pypa/advisory-database/tree/main/vulns/plone/PYSEC-2018-71.yaml
- https://plone.org/security/hotfix/20171128/xss-using-the-home_page-member-property
Пакеты
Products.CMFPlone
< 4.3.17
4.3.17
Products.CMFPlone
>= 5.0.0, < 5.0.10
5.0.10
Products.CMFPlone
>= 5.1a1, < 5.1.0
5.1.0
Plone
>= 2.5a1, < 4.3.16
4.3.16
Plone
>= 5.0a1, < 5.1.0
5.1.0
Связанные уязвимости
A member of the Plone 2.5-5.1rc1 site could set javascript in the home_page property of his profile, and have this executed when a visitor click the home page link on the author page.
A member of the Plone 2.5-5.1rc1 site could set javascript in the home_page property of his profile, and have this executed when a visitor click the home page link on the author page.