VDB
KO
MEDIUM 4.3

GHSA-8rqh-vxpr-x77p

plone.restapi: Stored XSS by spoofing mime type

Details

### Impact

A stored XSS affecting RichText fields. RichTextValue.output returns the raw, unsanitized stored value whenever the stored mimeType equals the outputMimeType. Because the safe-HTML output type (`text/x-html-safe`) is the type that signifies "already sanitized", any value whose stored mimeType equals it bypasses the safe_html transform entirely on render. The transform itself is sound — it correctly strips `on*` event-handler attributes and `javascript:/data:` URIs; the defect is that it is never invoked for these values. The unsanitized value is then emitted via `tal:content="structure ..."`, which performs no escaping, so the payload executes in the viewer's browser.

This can be a problem when a RichText field is wrongly defined in code with a `mimeType` and `outputMimeType` that are the same, or when the REST API is used to the same effect.

This is the same vulnerability as reported in `plone.app.textfield`: https://github.com/plone/plone.app.textfield/security/advisories/GHSA-4r4f-gg25-rmg5

### Patches The problem has been patched:

* For Plone 6.0 and 6.2, upgrade `plone.restapi` to 9.15.6. * For Plone 6.2, upgrade `plone.restapi` to 10.0.1.

This will prevent abusing the REST API to store wrong rich text values.

This will **not** prevent XSS from rich text fields that already have wrong values. For that, you will need a patched `plone.app.textfield` version. See the `plone.app.textfield` advisory linked above for versions.

### Workarounds There is no known workaround.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / plone-restapi
Introduced in: 0 Fixed in: 9.15.6
Fix pip install --upgrade 'plone-restapi>=9.15.6'
PyPI / plone-restapi
Introduced in: 10.0.0 Fixed in: 10.0.1
Fix pip install --upgrade 'plone-restapi>=10.0.1'

References