—

PYSEC-2017-61

Details

Cross-site scripting (XSS) vulnerability in the URL checking infrastructure in Plone CMS 5.x through 5.0.6, 4.x through 4.3.11, and 3.3.x through 3.3.6 allows remote attackers to inject arbitrary web script or HTML via a crafted URL.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / plone

Introduced in: 5.0 Fixed in: 5.0.7

Fix pip install --upgrade 'plone>=4.3.12'

References

https://plone.org/security/hotfix/20160830/non-persistent-xss-in-plone-1 [WEB]
http://www.openwall.com/lists/oss-security/2016/09/05/5 [WEB]
http://www.openwall.com/lists/oss-security/2016/09/05/4 [WEB]
http://seclists.org/fulldisclosure/2016/Oct/80 [WEB]
http://packetstormsecurity.com/files/139110/Plone-CMS-4.3.11-5.0.6-XSS-Traversal-Open-Redirection.html [WEB]
http://www.securityfocus.com/bid/92752 [WEB]
http://www.securityfocus.com/archive/1/539572/100/0/threaded [WEB]