CVE-2011-1340

Name of the Vulnerable Software and Affected Versions Plone versions prior to 2.5.3

Description A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via the type name parameter to the Members/ipa/createObject endpoint. This enables attackers to execute malicious scripts on the victim's browser.

Recommendations For Plone versions prior to 2.5.3, update to version 2.5.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the Members/ipa/createObject endpoint or avoiding the use of the type name parameter until the issue is resolved.