what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Plone 5.0.5 Cross Site Scripting

Plone 5.0.5 Cross Site Scripting
Posted Feb 18, 2017
Authored by Tim Coen | Site curesec.com

Plone version 5.0.5 suffers from a cross site scripting vulnerability.

tags | exploit, xss
advisories | CVE-2016-7147
SHA-256 | f23f365ad7be4890c9801cbb5c09c3060407d0b8d444fc6d52637f10df958c28

Plone 5.0.5 Cross Site Scripting

Change Mirror Download
Security Advisory - Curesec Research Team

1. Introduction

Affected Product: Plone 5.0.5
Fixed in: Hotfix 20170117
Fixed Version Link: https://plone.org/security/hotfix/20170117
Vendor Contact: security@plone.org
Vulnerability Type: XSS
Remote Exploitable: Yes
Reported to vendor: 09/05/2016
Disclosed to public: 01/26/2017
Release mode: Coordinated Release
CVE: CVE-2016-7147
Credits Tim Coen of Curesec GmbH

2. Overview

Plone is an open source CMS written in python. In version 5.0.5, the Zope
Management Interface (ZMI) component is vulnerable to reflected XSS as it does
not properly encode double quotes.

3. Details

CVSS: Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N

Description: The search functionality of the management interface is vulnerable
to reflected XSS. As the input is echoed into an HMTL attribute, an attacker
can use double quotes to escape the current attribute and add new attributes to
enter a JavaScript context.

Proof of Concept:

http://0.0.0.0:9090//Plone/manage_findResult?obj_metatypes%3Alist=all&
obj_ids%3Atokens=%22+autofocus+onfocus%3dalert(1)%3E&obj_searchterm=&obj_mspec=
%3C&obj_mtime=&search_sub%3Aint=1&btn_submit=Find

4. Solution

To mitigate this issue please apply the hotfix 20170117.

Please note that a newer version might already be available.

5. Report Timeline

09/05/2016 Contacted Vendor, Vendor confirmed, Requested CVE
09/06/2016 CVE assigned
09/06/2016 Vendor requests 90 days to release fix
01/10/2017 Contacted Vendor Again, Vendor announces hotfix
01/17/2017 Vendor releases hotfix
01/26/2017 Disclosed to public


Blog Reference:
https://www.curesec.com/blog/article/blog/Plone-XSS-186.html

--
blog: https://www.curesec.com/blog
tweet: https://twitter.com/curesec

Curesec GmbH
Curesec Research Team
Josef-Orlopp-StraAe 54
10365 Berlin, Germany


Login or Register to add favorites

File Archive:

July 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    52 Files
  • 2
    Jul 2nd
    0 Files
  • 3
    Jul 3rd
    0 Files
  • 4
    Jul 4th
    11 Files
  • 5
    Jul 5th
    8 Files
  • 6
    Jul 6th
    8 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    0 Files
  • 9
    Jul 9th
    0 Files
  • 10
    Jul 10th
    0 Files
  • 11
    Jul 11th
    0 Files
  • 12
    Jul 12th
    0 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    0 Files
  • 16
    Jul 16th
    0 Files
  • 17
    Jul 17th
    0 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close