Vangheem

**Name of the Vulnerable Software and Affected Versions** Plone versions 3.3.0 through 3.3.6 Plone versions 4.0.0 through 4.0.10 Plone versions 4.1.0 through 4.1.6 Plone versions 4.2.0 through 4.2.7 Plone versions 4.3.x before 4.3.7 Plone version 5.0rc1 **Description** The issue allows for cross-site scripting (XSS) by exploiting Plone's URL checking infrastructure. This can be achieved by passing HTML into a specially crafted URL containing `<script`, `%3Cscript`, `javascript:`, or `javascript%3A`. **Recommendations** For Plone versions 3.3.0 through 3.3.6, update to a version outside of this range to mitigate the risk. For Plone versions 4.0.0 through 4.0.10, update to a version outside of this range to mitigate the risk. For Plone versions 4.1.0 through 4.1.6, update to a version outside of this range to mitigate the risk. For Plone versions 4.2.0 through 4.2.7, update to a version outside of this range to mitigate the risk. For Plone versions 4.3.x before 4.3.7, update to version 4.3.7 or later to mitigate the risk. For Plone version 5.0rc1, update to a later version to mitigate the risk. As a temporary workaround, consider restricting the use of the URL checking infrastructure until a patch is available. Avoid using URLs containing `<script`, `%3Cscript`, `javascript:`, or `javascript%3A` in the affected Plone versions.