Plone 5.0.5 Cross Site Scripting

Published
Credit
Risk
2017.02.19
Tim Coen
Low
CWE
CVE
Local
Remote
CWE-79
CVE-2016-7147
No
Yes

CVSS Base Score
Impact Subscore
Exploitability Subscore
4.3/10
2.9/10
8.6/10
Exploit range
Attack complexity
Authentication
Remote
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
None
Partial
None

Security Advisory - Curesec Research Team

1. Introduction

Affected Product: Plone 5.0.5
Fixed in: Hotfix 20170117
Fixed Version Link: https://plone.org/security/hotfix/20170117
Vendor Contact: security@plone.org
Vulnerability Type: XSS
Remote Exploitable: Yes
Reported to vendor: 09/05/2016
Disclosed to public: 01/26/2017
Release mode: Coordinated Release
CVE: CVE-2016-7147
Credits Tim Coen of Curesec GmbH

2. Overview

Plone is an open source CMS written in python. In version 5.0.5, the Zope
Management Interface (ZMI) component is vulnerable to reflected XSS as it does
not properly encode double quotes.

3. Details

CVSS: Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N

Description: The search functionality of the management interface is vulnerable
to reflected XSS. As the input is echoed into an HMTL attribute, an attacker
can use double quotes to escape the current attribute and add new attributes to
enter a JavaScript context.

Proof of Concept:

http://0.0.0.0:9090//Plone/manage_findResult?obj_metatypes%3Alist=all&
obj_ids%3Atokens=%22+autofocus+onfocus%3dalert(1)%3E&obj_searchterm=&obj_mspec=
%3C&obj_mtime=&search_sub%3Aint=1&btn_submit=Find

4. Solution

To mitigate this issue please apply the hotfix 20170117.

Please note that a newer version might already be available.

5. Report Timeline

09/05/2016 Contacted Vendor, Vendor confirmed, Requested CVE
09/06/2016 CVE assigned
09/06/2016 Vendor requests 90 days to release fix
01/10/2017 Contacted Vendor Again, Vendor announces hotfix
01/17/2017 Vendor releases hotfix
01/26/2017 Disclosed to public


Blog Reference:
https://www.curesec.com/blog/article/blog/Plone-XSS-186.html

--
blog: https://www.curesec.com/blog
tweet: https://twitter.com/curesec

Curesec GmbH
Curesec Research Team
Josef-Orlopp-StraAe 54
10365 Berlin, Germany



See this note in RAW Version

 
Bugtraq RSS
Bugtraq
 
CVE RSS
CVEMAP
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn


Copyright 2017, cxsecurity.com