MEDIUM 6.1

GHSA-vh6g-786f-hxxp

Zope XSS Vulnerability

Details

Cross-site scripting (XSS) vulnerability in Zope 2.8.x before 2.8.12, 2.9.x before 2.9.12, 2.10.x before 2.10.11, 2.11.x before 2.11.6, and 2.12.x before 2.12.3, 3.1.1 through 3.4.1. allows remote attackers to inject arbitrary web script or HTML via vectors related to the way error messages perform sanitization. NOTE: this issue exists because of an incomplete fix for CVE-2010-1104

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / zope

Introduced in: 3.1.1 Fixed in: 3.7.3

Fix pip install --upgrade 'zope>=3.7.3'

PyPI / zope2

Introduced in: 0 Fixed in: 2.12.22

Fix pip install --upgrade 'zope2>=2.12.22'

PyPI / zope2

Introduced in: 2.13.0a1 Fixed in: 2.13.12

Fix pip install --upgrade 'zope2>=2.13.12'

References

https://nvd.nist.gov/vuln/detail/CVE-2011-4924 [ADVISORY]
https://github.com/zopefoundation/Zope/commit/37e4ea774acc668f6b430a45a6ab1e359710f590 [WEB]
https://github.com/zopefoundation/Zope/commit/a0655194cb39ad88ce3323a3e489927c5f979c44 [WEB]
https://access.redhat.com/security/cve/cve-2011-4924 [WEB]
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-4924 [WEB]
https://github.com/zopefoundation/Zope [PACKAGE]
https://security-tracker.debian.org/tracker/CVE-2011-4924 [WEB]
http://www.openwall.com/lists/oss-security/2012/01/19/16 [WEB]
http://www.openwall.com/lists/oss-security/2012/01/19/17 [WEB]
http://www.openwall.com/lists/oss-security/2012/01/19/18 [WEB]
http://www.openwall.com/lists/oss-security/2012/01/19/19 [WEB]