Plone XSS and permission errors

2011-06-08 / 2011-06-09
Risk: Medium
Local: No
Remote: Yes

As a member of the Plone security response team I hereby notify you that we have been made aware of three distinct security holes in Plone and are requesting CVE identifiers. 1. Reflected XSS attack A crafted URL can display arbitrary HTML output 2. Persistent XSS attack Certain valid HTML will allow Javascript filtering to be bypassed. 3. Unauthorised data changes One change form for data allows preferences to be changed. No deletion of content of loss of confidentiality is possible. Thanks very much, Matthew

References:

http://plone.org/products/plone/security/advisories/CVE-2011-1950
http://xforce.iss.net/xforce/xfdb/67695
http://www.securityfocus.com/bid/48005
http://www.securityfocus.com/archive/1/archive/1/518155/100/0/threaded
http://secunia.com/advisories/44775


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top