Plone 5.0.5 Cross Site Scripting

`Security Advisory - Curesec Research Team  
  
1. Introduction  
  
Affected Product: Plone 5.0.5  
Fixed in: Hotfix 20170117  
Fixed Version Link: https://plone.org/security/hotfix/20170117  
Vendor Contact: [email protected]  
Vulnerability Type: XSS  
Remote Exploitable: Yes  
Reported to vendor: 09/05/2016  
Disclosed to public: 01/26/2017  
Release mode: Coordinated Release  
CVE: CVE-2016-7147  
Credits Tim Coen of Curesec GmbH  
  
2. Overview  
  
Plone is an open source CMS written in python. In version 5.0.5, the Zope  
Management Interface (ZMI) component is vulnerable to reflected XSS as it does  
not properly encode double quotes.  
  
3. Details  
  
CVSS: Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N  
  
Description: The search functionality of the management interface is vulnerable  
to reflected XSS. As the input is echoed into an HMTL attribute, an attacker  
can use double quotes to escape the current attribute and add new attributes to  
enter a JavaScript context.  
  
Proof of Concept:  
  
http://0.0.0.0:9090//Plone/manage_findResult?obj_metatypes%3Alist=all&  
obj_ids%3Atokens=%22+autofocus+onfocus%3dalert(1)%3E&obj_searchterm=&obj_mspec=  
%3C&obj_mtime=&search_sub%3Aint=1&btn_submit=Find  
  
4. Solution  
  
To mitigate this issue please apply the hotfix 20170117.  
  
Please note that a newer version might already be available.  
  
5. Report Timeline  
  
09/05/2016 Contacted Vendor, Vendor confirmed, Requested CVE  
09/06/2016 CVE assigned  
09/06/2016 Vendor requests 90 days to release fix  
01/10/2017 Contacted Vendor Again, Vendor announces hotfix  
01/17/2017 Vendor releases hotfix  
01/26/2017 Disclosed to public  
  
  
Blog Reference:  
https://www.curesec.com/blog/article/blog/Plone-XSS-186.html  
  
--  
blog: https://www.curesec.com/blog  
tweet: https://twitter.com/curesec  
  
Curesec GmbH  
Curesec Research Team  
Josef-Orlopp-StraAe 54  
10365 Berlin, Germany  
  
  
`