Описание
Plone CMS until version 5.2.4 has a stored Cross-Site Scripting (XSS) vulnerability in the user fullname property and the file upload functionality. The user's input data is not properly encoded when being echoed back to the user. This data can be interpreted as executable code by the browser and allows an attacker to execute JavaScript in the context of the victim's browser if the victim opens a vulnerable page containing an XSS payload.
Ссылки
- Mailing ListThird Party Advisory
- Release NotesVendor Advisory
- Vendor Advisory
- ExploitThird Party Advisory
- Mailing ListThird Party Advisory
- Release NotesVendor Advisory
- Vendor Advisory
- ExploitThird Party Advisory
Уязвимые конфигурации
Конфигурация 1Версия до 5.2.4 (исключая)
cpe:2.3:a:plone:plone:*:*:*:*:*:*:*:*
EPSS
Процентиль: 63%
0.00444
Низкий
5.4 Medium
CVSS3
3.5 Low
CVSS2
Дефекты
CWE-79
Связанные уязвимости
CVSS3: 6.1
github
больше 3 лет назад
Plone XSS in User Fullname Property and File Upload
EPSS
Процентиль: 63%
0.00444
Низкий
5.4 Medium
CVSS3
3.5 Low
CVSS2
Дефекты
CWE-79