GoogleOSV:GHSA-M755-GXXG-R5QHZope management interface vulnerable to stored cross site scripting via the title property
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
AI Score
Confidence
High
EPSS
Percentile
24.4%
Impact
The title property, available on most Zope objects, can be used to store script code that is executed while viewing the affected object in the Zope Management Interface (ZMI) because the title property is displayed unquoted in the breadcrumbs element. All versions of Zope 4 and Zope 5 are affected.
Patches
Patches will be released with Zope versions 4.8.11 and 5.8.6.
Workarounds
Make sure only Manager users can edit and view Zope objects in the Zope Management Interface. This is the default.
References
github.com/pypa/advisory-database/tree/main/vulns/zope/PYSEC-2023-193.yaml
github.com/zopefoundation/Zope
github.com/zopefoundation/Zope/commit/21dfa78609ffd8b6bd8143805678ebbacae5141a
github.com/zopefoundation/Zope/commit/aeaf2cdc80dff60815e3706af448f086ddc3b98d
github.com/zopefoundation/Zope/security/advisories/GHSA-m755-gxxg-r5qh
nvd.nist.gov/vuln/detail/CVE-2023-44389
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
AI Score
Confidence
High
EPSS
Percentile
24.4%