MEDIUM

GHSA-cvwc-g7fw-7xrj

Plone XSS Vulnerability

Details

Cross-site scripting (XSS) vulnerability in `skins/plone_templates/default_error_message.pt` in Plone before 2.5.3 allows remote attackers to inject arbitrary web script or HTML via the type_name parameter to `Members/ipa/createObject`.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / plone

Introduced in: 0 Fixed in: 2.5.3

Fix pip install --upgrade 'plone>=2.5.3'

References

https://nvd.nist.gov/vuln/detail/CVE-2011-1340 [ADVISORY]
https://web.archive.org/web/20110816092954/http://dev.plone.org/plone/changeset/12262 [WEB]
https://web.archive.org/web/20110817133423/https://dev.plone.org/plone/ticket/6110 [WEB]
http://jvn.jp/en/jp/JVN41222793/index.html [WEB]
http://jvndb.jvn.jp/jvndb/JVNDB-2011-000056 [WEB]