Matthew Wilkes

Name of the Vulnerable Software and Affected Versions: Plone versions 3.3.x through 3.3.6 Plone versions 4.0.x through 4.0.9 Plone versions 4.1.x through 4.1.6 Plone versions 4.2.x through 4.2.7 Plone versions 4.3 through 4.3.2 Description: The issue allows remote attackers to inject arbitrary web script or HTML via unspecified input in the (1) browser id manager or (2) OFS.Image method. This can be exploited to conduct cross-site scripting (XSS) attacks. Recommendations: For Plone versions 3.3.x through 3.3.6, update to a version outside of this range to mitigate the risk. For Plone versions 4.0.x through 4.0.9, update to a version outside of this range to mitigate the risk. For Plone versions 4.1.x through 4.1.6, update to a version outside of this range to mitigate the risk. For Plone versions 4.2.x through 4.2.7, update to a version outside of this range to mitigate the risk. For Plone versions 4.3 through 4.3.2, update to a version outside of this range to mitigate the risk. As a temporary workaround, consider restricting access to the browser id manager and OFS.Image method until a patch is available.

**Name of the Vulnerable Software and Affected Versions** django CMS versions 3.0.0 through 3.0.13 django CMS versions 3.1.0 through 3.1.0 **Description** A cross-site request forgery (CSRF) issue allows remote attackers to manipulate privileged users into performing unknown actions via unspecified vectors. **Recommendations** For django CMS versions 3.0.0 through 3.0.13, update to version 3.0.14 or later. For django CMS versions 3.1.0 through 3.1.0, update to version 3.1.1 or later.

**Name of the Vulnerable Software and Affected Versions** Plone versions 3.3 through 4.3.2 **Description** The issue allows remote attackers to obtain the installation path via vectors related to a file object for unspecified documentation which is initialized in class scope in the FactoryTool.py file. **Recommendations** For Plone versions 3.3 through 4.3.2, update to a version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Plone versions 2.1 through 4.1 **Description** A cross-site scripting (XSS) issue exists in the safe html filter in Products.PortalTransforms, allowing remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. **Recommendations** For Plone versions 2.1 through 4.1, update to a version that includes a fix for this issue, as no specific workaround is provided for these versions.