CVE-2023-44389 Zope management interface vulnerable to stored cross site scripting via the title property

2023-10-0420:07:34

CWE-79

GitHub_M

www.cve.org

zope

management interface

cross site scripting

title property

web application server

open-source

zope 4

zope 5

patches

version 4.8.11

version 5.8.6

CVSS3

3.1

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N

AI Score

5.4

Confidence

High

EPSS

0.001

Percentile

24.4%

JSON

Zope is an open-source web application server. The title property, available on most Zope objects, can be used to store script code that is executed while viewing the affected object in the Zope Management Interface (ZMI). All versions of Zope 4 and Zope 5 are affected. Patches will be released with Zope versions 4.8.11 and 5.8.6.

CNA Affected

[
  {
    "vendor": "zopefoundation",
    "product": "Zope",
    "versions": [
      {
        "version": ">= 4.0.0, < 4.8.11",
        "status": "affected"
      },
      {
        "version": ">= 5.0.0, < 5.8.6",
        "status": "affected"
      }
    ]
  }
]