Security Advisory - Curesec Research Team 1. Introduction Affected Product: Plone 5.0.5 Fixed in: Hotfix 20170117 Fixed Version Link: https://plone.org/security/hotfix/20170117 Vendor Contact: security@plone.org Vulnerability Type: XSS Remote Exploitable: Yes Reported to vendor: 09/05/2016 Disclosed to public: 01/26/2017 Release mode: Coordinated Release CVE: CVE-2016-7147 Credits Tim Coen of Curesec GmbH 2. Overview Plone is an open source CMS written in python. In version 5.0.5, the Zope Management Interface (ZMI) component is vulnerable to reflected XSS as it does not properly encode double quotes. 3. Details CVSS: Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N Description: The search functionality of the management interface is vulnerable to reflected XSS. As the input is echoed into an HMTL attribute, an attacker can use double quotes to escape the current attribute and add new attributes to enter a JavaScript context. Proof of Concept: http://0.0.0.0:9090//Plone/manage_findResult?obj_metatypes%3Alist=all& obj_ids%3Atokens=%22+autofocus+onfocus%3dalert(1)%3E&obj_searchterm=&obj_mspec= %3C&obj_mtime=&search_sub%3Aint=1&btn_submit=Find 4. Solution To mitigate this issue please apply the hotfix 20170117. Please note that a newer version might already be available. 5. Report Timeline 09/05/2016 Contacted Vendor, Vendor confirmed, Requested CVE 09/06/2016 CVE assigned 09/06/2016 Vendor requests 90 days to release fix 01/10/2017 Contacted Vendor Again, Vendor announces hotfix 01/17/2017 Vendor releases hotfix 01/26/2017 Disclosed to public Blog Reference: https://www.curesec.com/blog/article/blog/Plone-XSS-186.html -- blog: https://www.curesec.com/blog tweet: https://twitter.com/curesec Curesec GmbH Curesec Research Team Josef-Orlopp-StraAe 54 10365 Berlin, Germany