Plone 5.0.5 Cross Site Scripting

2017-02-18 / 2017-02-19
Credit: Tim Coen
Risk: Low
Local: No
Remote: Yes
CWE: CWE-79


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

Security Advisory - Curesec Research Team 1. Introduction Affected Product: Plone 5.0.5 Fixed in: Hotfix 20170117 Fixed Version Link: https://plone.org/security/hotfix/20170117 Vendor Contact: security@plone.org Vulnerability Type: XSS Remote Exploitable: Yes Reported to vendor: 09/05/2016 Disclosed to public: 01/26/2017 Release mode: Coordinated Release CVE: CVE-2016-7147 Credits Tim Coen of Curesec GmbH 2. Overview Plone is an open source CMS written in python. In version 5.0.5, the Zope Management Interface (ZMI) component is vulnerable to reflected XSS as it does not properly encode double quotes. 3. Details CVSS: Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N Description: The search functionality of the management interface is vulnerable to reflected XSS. As the input is echoed into an HMTL attribute, an attacker can use double quotes to escape the current attribute and add new attributes to enter a JavaScript context. Proof of Concept: http://0.0.0.0:9090//Plone/manage_findResult?obj_metatypes%3Alist=all& obj_ids%3Atokens=%22+autofocus+onfocus%3dalert(1)%3E&obj_searchterm=&obj_mspec= %3C&obj_mtime=&search_sub%3Aint=1&btn_submit=Find 4. Solution To mitigate this issue please apply the hotfix 20170117. Please note that a newer version might already be available. 5. Report Timeline 09/05/2016 Contacted Vendor, Vendor confirmed, Requested CVE 09/06/2016 CVE assigned 09/06/2016 Vendor requests 90 days to release fix 01/10/2017 Contacted Vendor Again, Vendor announces hotfix 01/17/2017 Vendor releases hotfix 01/26/2017 Disclosed to public Blog Reference: https://www.curesec.com/blog/article/blog/Plone-XSS-186.html -- blog: https://www.curesec.com/blog tweet: https://twitter.com/curesec Curesec GmbH Curesec Research Team Josef-Orlopp-StraAe 54 10365 Berlin, Germany


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top