Lucene search

GitHub Advisory DatabaseGHSA-M755-GXXG-R5QH

HistoryOct 04, 2023 - 6:50 p.m.

Zope management interface vulnerable to stored cross site scripting via the title property

2023-10-0418:50:25

CWE-79

GitHub Advisory Database

github.com

zope

stored cross site scripting

management interface

security advisory

version 4.8.11

version 5.8.6

CVSS3

4.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

24.4%

JSON

Impact

The title property, available on most Zope objects, can be used to store script code that is executed while viewing the affected object in the Zope Management Interface (ZMI) because the title property is displayed unquoted in the breadcrumbs element. All versions of Zope 4 and Zope 5 are affected.

Patches

Patches will be released with Zope versions 4.8.11 and 5.8.6.

Workarounds

Make sure only Manager users can edit and view Zope objects in the Zope Management Interface. This is the default.

Affected configurations

Vulners

Node

zopezopeRange4.0.0–4.8.11

zopezopeRange5.0.0–5.8.6

VendorProductVersionCPE
zopezope*cpe:2.3:a:zope:zope:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
zope	zope	*	cpe:2.3:a:zope:zope::::::::

References

github.com/advisories/GHSA-m755-gxxg-r5qh

github.com/pypa/advisory-database/tree/main/vulns/zope/PYSEC-2023-193.yaml

github.com/zopefoundation/Zope/commit/21dfa78609ffd8b6bd8143805678ebbacae5141a

github.com/zopefoundation/Zope/commit/aeaf2cdc80dff60815e3706af448f086ddc3b98d

github.com/zopefoundation/Zope/security/advisories/GHSA-m755-gxxg-r5qh

nvd.nist.gov/vuln/detail/CVE-2023-44389