GHSA-HC5C-R8M5-2GFH

Vulnerability from github – Published: 2023-09-21 17:16 – Updated: 2023-09-21 17:16
VLAI
Summary
plone.restapi vulnerable to Stored Cross Site Scripting with SVG image in user portrait
Details

Impact

There is a stored cross site scripting vulnerability for SVG images uploaded in user portraits.

Note that a page that uses an image tag with an SVG image as source is never vulnerable, even when the SVG image contains malicious code. To exploit the vulnerability, an attacker would first need to upload an SVG image as user portrait, and then trick a user into following a link to this portrait.

Patches

A patch will be released in plone.restapi 8.43.3. This version is good for Plone 6.0, and for Plone 5.2 on Python 3.

In plone.restapi 7 or earlier there was no @portrait endpoint yet, so there is nothing to fix in that version. It is still vulnerable to this attack, and needs a fix in Zope 4. These two vulnerabilities share the same CVE: CVE-2023-42458.

Workarounds

You could remove the portrait field from the member data schema, and possibly remove all portraits that are already in the database, but this seems a bit drastic.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "plone.restapi"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.0.0"
            },
            {
              "fixed": "8.43.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-79",
      "CWE-80"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-09-21T17:16:44Z",
    "nvd_published_at": null,
    "severity": "LOW"
  },
  "details": "### Impact\nThere is a stored cross site scripting vulnerability for SVG images uploaded in user portraits.\n\nNote that a page that uses an image tag with an SVG image as source is never vulnerable, even when the SVG image contains malicious code. To exploit the vulnerability, an attacker would first need to upload an SVG image as user portrait, and then trick a user into following a link to this portrait.\n\n### Patches\nA patch will be released in `plone.restapi` 8.43.3. This version is good for Plone 6.0, and for Plone 5.2 on Python 3.\n\nIn `plone.restapi` 7 or earlier there was no `@portrait` endpoint yet, so there is nothing to fix in that version. It is still vulnerable to this attack, and needs a [fix in Zope 4](https://github.com/zopefoundation/Zope/security/advisories/GHSA-wm8q-9975-xh5v). These two vulnerabilities share the same CVE: CVE-2023-42458.\n\n### Workarounds\nYou could remove the portrait field from the member data schema, and possibly remove all portraits that are already in the database, but this seems a bit drastic.",
  "id": "GHSA-hc5c-r8m5-2gfh",
  "modified": "2023-09-21T17:16:44Z",
  "published": "2023-09-21T17:16:44Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/plone/plone.restapi/security/advisories/GHSA-hc5c-r8m5-2gfh"
    },
    {
      "type": "WEB",
      "url": "https://github.com/zopefoundation/Zope/security/advisories/GHSA-wm8q-9975-xh5v"
    },
    {
      "type": "WEB",
      "url": "https://github.com/plone/plone.restapi/commit/5f44c23ac69db7d6d933d77f177e07603cf05f8b"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/plone/plone.restapi"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "plone.restapi vulnerable to Stored Cross Site Scripting with SVG image in user portrait"
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…