Gustav Hansen

**Name of the Vulnerable Software and Affected Versions** Zope versions prior to 4.8.10 and 5.8.5 **Description** Zope is an open-source web application server with a stored cross site scripting vulnerability for SVG images. The vulnerability can be exploited when an attacker uploads an image and tricks a user into following a specially crafted link. Note that an image tag with an SVG image as source is never vulnerable, even when the SVG image contains malicious code. **Recommendations** For Zope versions prior to 4.8.10, update to version 4.8.10 to resolve the issue. For Zope versions prior to 5.8.5, update to version 5.8.5 to resolve the issue. As a temporary workaround, make sure the `Add Documents, Images, and Files` permission is only assigned to trusted roles. By default, only the Manager has this permission.

**Name of the Vulnerable Software and Affected Versions** macOS versions prior to 13 **Description** This issue allows a user in a privileged network position to potentially track user activity. The issue was addressed with improved data protection. **Recommendations** For versions prior to 13, update to macOS Ventura 13 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Plone versions 2.1 through 4.3 Products.ATContentTypes versions prior to 3.0.6 **Description** The issue concerns reflected cross site scripting and open redirect vulnerabilities. An attacker can exploit these by getting a compromised version of the `image view fullscreen` page into a cache, such as Varnish, using a technique known as cache poisoning. This can lead to any later visitor being redirected when clicking on a link on the compromised page. Typically, only anonymous users are affected, but this depends on the user's cache settings. **Recommendations** For Plone versions 2.1 through 4.3, update Products.ATContentTypes to version 3.0.6. For versions of Products.ATContentTypes prior to 3.0.6, as a temporary workaround, ensure the `image view fullscreen` page is not stored in the cache. To implement the workaround in Plone: - Login as Manager and go to Site Setup. - Go to the 'Caching' control panel. - Click on the tab 'Caching operations'. - Under 'Legacy template mappings' locate the ruleset 'Content item view'. - From the last column ('Templates') remove `image view fullscreen`. - Click on Save.