CVE-2023-42458

Name of the Vulnerable Software and Affected Versions Zope versions prior to 4.8.10 and 5.8.5

Description Zope is an open-source web application server with a stored cross site scripting vulnerability for SVG images. The vulnerability can be exploited when an attacker uploads an image and tricks a user into following a specially crafted link. Note that an image tag with an SVG image as source is never vulnerable, even when the SVG image contains malicious code.

Recommendations For Zope versions prior to 4.8.10, update to version 4.8.10 to resolve the issue. For Zope versions prior to 5.8.5, update to version 5.8.5 to resolve the issue. As a temporary workaround, make sure the Add Documents, Images, and Files permission is only assigned to trusted roles. By default, only the Manager has this permission.