CVE-2023-42458
published 2023-09-21CVE-2023-42458: Zope is an open-source web application server. Prior to versions 4.8.10 and 5.8.5, there is a stored cross site scripting vulnerability for SVG images. Note…
PriorityP427medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EPSS
0.60%
44.2th percentile
Zope is an open-source web application server. Prior to versions 4.8.10 and 5.8.5, there is a stored cross site scripting vulnerability for SVG images. Note that an image tag with an SVG image as source is never vulnerable, even when the SVG image contains malicious code. To exploit the vulnerability, an attacker would first need to upload an image, and then trick a user into following a specially crafted link. Patches are available in Zope 4.8.10 and 5.8.5. As a workaround, make sure the "Add Documents, Images, and Files" permission is only assigned to trusted roles. By default, only the Manager has this permission.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| zope | zope | < 4.8.10 | 4.8.10 |
| zope | zope | >= 0 < 4.8.10 | 4.8.10 |
| zope | zope | >= 5.0.0 < 5.8.5 | 5.8.5 |
| zope | zope | >= 5.8.0 < 5.8.5 | 5.8.5 |
| zopefoundation | zope | < 4.8.10 | 4.8.10 |
| zopefoundation | zope | — | — |
CVSS provenance
nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
ghsa5.4MEDIUM
osv5.4MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Zope vulnerable to Stored Cross Site Scripting with SVG images
osv·2023-09-21
CVE-2023-42458 [LOW] Zope vulnerable to Stored Cross Site Scripting with SVG images
Zope vulnerable to Stored Cross Site Scripting with SVG images
### Impact
There is a stored cross site scripting vulnerability for SVG images.
Note that an image tag with an SVG image as source is never vulnerable, even when the SVG image contains malicious code. To exploit the vulnerability, an attacker would first need to upload an image, and then trick a user into following a specially crafted link.
All versions of Zope are impacted on sites that allow untrusted users to upload images.
### Patches
Patches will be released in Zope 4.8.10 and 5.8.5.
### Workarounds
Make sure the "Add Documents, Images, and Files" permission is only assigned to trusted roles. By default only the Manager has this permission.
GHSA
plone.restapi vulnerable to Stored Cross Site Scripting with SVG image in user portrait
ghsa·2023-09-21·CVSS 5.4
[MEDIUM] CWE-79 plone.restapi vulnerable to Stored Cross Site Scripting with SVG image in user portrait
plone.restapi vulnerable to Stored Cross Site Scripting with SVG image in user portrait
### Impact
There is a stored cross site scripting vulnerability for SVG images uploaded in user portraits.
Note that a page that uses an image tag with an SVG image as source is never vulnerable, even when the SVG image contains malicious code. To exploit the vulnerability, an attacker would first need to upload an SVG image as user portrait, and then trick a user into following a link to this portrait.
### Patches
A patch will be released in `plone.restapi` 8.43.3. This version is good for Plone 6.0, and for Plone 5.2 on Python 3.
In `plone.restapi` 7 or earlier there was no `@portrait` endpoint yet, so there is nothing to fix in that version. It is still vulnerable to this attack, and needs a [fix
OSV
plone.restapi vulnerable to Stored Cross Site Scripting with SVG image in user portrait
osv·2023-09-21·CVSS 5.4
[MEDIUM] plone.restapi vulnerable to Stored Cross Site Scripting with SVG image in user portrait
plone.restapi vulnerable to Stored Cross Site Scripting with SVG image in user portrait
### Impact
There is a stored cross site scripting vulnerability for SVG images uploaded in user portraits.
Note that a page that uses an image tag with an SVG image as source is never vulnerable, even when the SVG image contains malicious code. To exploit the vulnerability, an attacker would first need to upload an SVG image as user portrait, and then trick a user into following a link to this portrait.
### Patches
A patch will be released in `plone.restapi` 8.43.3. This version is good for Plone 6.0, and for Plone 5.2 on Python 3.
In `plone.restapi` 7 or earlier there was no `@portrait` endpoint yet, so there is nothing to fix in that version. It is still vulnerable to this attack, and needs a [fix
GHSA
Zope vulnerable to Stored Cross Site Scripting with SVG images
ghsa·2023-09-21
CVE-2023-42458 [LOW] CWE-79 Zope vulnerable to Stored Cross Site Scripting with SVG images
Zope vulnerable to Stored Cross Site Scripting with SVG images
### Impact
There is a stored cross site scripting vulnerability for SVG images.
Note that an image tag with an SVG image as source is never vulnerable, even when the SVG image contains malicious code. To exploit the vulnerability, an attacker would first need to upload an image, and then trick a user into following a specially crafted link.
All versions of Zope are impacted on sites that allow untrusted users to upload images.
### Patches
Patches will be released in Zope 4.8.10 and 5.8.5.
### Workarounds
Make sure the "Add Documents, Images, and Files" permission is only assigned to trusted roles. By default only the Manager has this permission.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
http://www.openwall.com/lists/oss-security/2023/09/22/2https://github.com/zopefoundation/Zope/commit/26a55dbc301db417f47cafda6fe0f983b5690088https://github.com/zopefoundation/Zope/commit/603b0a12881c90a072a7a65e32d47ed898ce37cbhttps://github.com/zopefoundation/Zope/security/advisories/GHSA-wm8q-9975-xh5vhttp://www.openwall.com/lists/oss-security/2023/09/22/2https://github.com/zopefoundation/Zope/commit/26a55dbc301db417f47cafda6fe0f983b5690088https://github.com/zopefoundation/Zope/commit/603b0a12881c90a072a7a65e32d47ed898ce37cbhttps://github.com/zopefoundation/Zope/security/advisories/GHSA-wm8q-9975-xh5v
2023-09-21
Published