CVE-2013-7062

Name of the Vulnerable Software and Affected Versions: Plone versions 3.3.x through 3.3.6 Plone versions 4.0.x through 4.0.9 Plone versions 4.1.x through 4.1.6 Plone versions 4.2.x through 4.2.7 Plone versions 4.3 through 4.3.2

Description: The issue allows remote attackers to inject arbitrary web script or HTML via unspecified input in the (1) browser id manager or (2) OFS.Image method. This can be exploited to conduct cross-site scripting (XSS) attacks.

Recommendations: For Plone versions 3.3.x through 3.3.6, update to a version outside of this range to mitigate the risk. For Plone versions 4.0.x through 4.0.9, update to a version outside of this range to mitigate the risk. For Plone versions 4.1.x through 4.1.6, update to a version outside of this range to mitigate the risk. For Plone versions 4.2.x through 4.2.7, update to a version outside of this range to mitigate the risk. For Plone versions 4.3 through 4.3.2, update to a version outside of this range to mitigate the risk. As a temporary workaround, consider restricting access to the browser id manager and OFS.Image method until a patch is available.