—

PYSEC-2018-71

Details

A member of the Plone 2.5-5.1rc1 site could set javascript in the home_page property of his profile, and have this executed when a visitor click the home page link on the author page.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / plone

Introduced in: 2.5 Fixed in: 4.3.16

Fix pip install --upgrade 'plone>=4.3.16'

References

https://plone.org/security/hotfix/20171128/xss-using-the-home_page-member-property [WEB]