PT-2023-29223 · Zope · Zope
Dataflake
·
Published
2023-10-04
·
Updated
2024-02-01
·
CVE-2023-44389
CVSS v3.1
3.1
Low
| Vector | AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Zope versions prior to 4.8.11
Zope versions prior to 5.8.6
Description
Zope is an open-source web application server. The
title property, available on most Zope objects, can be used to store script code that is executed while viewing the affected object in the Zope Management Interface (ZMI). This occurs because the title property is displayed unquoted in the breadcrumbs element.Recommendations
For versions prior to 4.8.11, update to version 4.8.11 to resolve the issue.
For versions prior to 5.8.6, update to version 5.8.6 to resolve the issue.
As a temporary workaround, ensure that only Manager users can edit and view Zope objects in the Zope Management Interface, which is the default configuration.
Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Zope