CVE-2023-44389
published 2023-10-04CVE-2023-44389: Zope is an open-source web application server. The title property, available on most Zope objects, can be used to store script code that is executed while…
PriorityP421medium4.8CVSS 3.1
AVNACLPRHUIRSCCLILAN
EPSS
0.40%
32.2th percentile
Zope is an open-source web application server. The title property, available on most Zope objects, can be used to store script code that is executed while viewing the affected object in the Zope Management Interface (ZMI). All versions of Zope 4 and Zope 5 are affected. Patches will be released with Zope versions 4.8.11 and 5.8.6.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| zope | zope | < 21dfa78609ffd8b6bd8143805678ebbacae5141a | 21dfa78609ffd8b6bd8143805678ebbacae5141a |
| zope | zope | >= 0 < aeaf2cdc80dff60815e3706af448f086ddc3b98d | aeaf2cdc80dff60815e3706af448f086ddc3b98d |
| zope | zope | >= 4.0 < 4.8.11 | 4.8.11 |
| zope | zope | >= 4.0 < 4.8.11 | 4.8.11 |
| zope | zope | >= 4.0.0 < 4.8.11 | 4.8.11 |
| zope | zope | >= 5.0 < 5.8.6 | 5.8.6 |
| zope | zope | >= 5.0 < 5.8.6 | 5.8.6 |
| zope | zope | >= 5.0.0 < 5.8.6 | 5.8.6 |
| zopefoundation | zope | — | — |
| zopefoundation | zope | — | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Zope management interface vulnerable to stored cross site scripting via the title property
osv·2023-10-04
CVE-2023-44389 [LOW] Zope management interface vulnerable to stored cross site scripting via the title property
Zope management interface vulnerable to stored cross site scripting via the title property
### Impact
The title property, available on most Zope objects, can be used to store script code that is executed while viewing the affected object in the Zope Management Interface (ZMI) because the title property is displayed unquoted in the breadcrumbs element. All versions of Zope 4 and Zope 5 are affected.
### Patches
Patches will be released with Zope versions 4.8.11 and 5.8.6.
### Workarounds
Make sure only Manager users can edit and view Zope objects in the Zope Management Interface. This is the default.
GHSA
Zope management interface vulnerable to stored cross site scripting via the title property
ghsa·2023-10-04
CVE-2023-44389 [LOW] CWE-79 Zope management interface vulnerable to stored cross site scripting via the title property
Zope management interface vulnerable to stored cross site scripting via the title property
### Impact
The title property, available on most Zope objects, can be used to store script code that is executed while viewing the affected object in the Zope Management Interface (ZMI) because the title property is displayed unquoted in the breadcrumbs element. All versions of Zope 4 and Zope 5 are affected.
### Patches
Patches will be released with Zope versions 4.8.11 and 5.8.6.
### Workarounds
Make sure only Manager users can edit and view Zope objects in the Zope Management Interface. This is the default.
OSV
CVE-2023-44389: Zope is an open-source web application server
osv·2023-10-04
CVE-2023-44389 CVE-2023-44389: Zope is an open-source web application server
Zope is an open-source web application server. The title property, available on most Zope objects, can be used to store script code that is executed while viewing the affected object in the Zope Management Interface (ZMI). All versions of Zope 4 and Zope 5 are affected. Patches will be released with Zope versions 4.8.11 and 5.8.6
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/zopefoundation/Zope/commit/21dfa78609ffd8b6bd8143805678ebbacae5141ahttps://github.com/zopefoundation/Zope/commit/aeaf2cdc80dff60815e3706af448f086ddc3b98dhttps://github.com/zopefoundation/Zope/security/advisories/GHSA-m755-gxxg-r5qhhttps://github.com/zopefoundation/Zope/commit/21dfa78609ffd8b6bd8143805678ebbacae5141ahttps://github.com/zopefoundation/Zope/commit/aeaf2cdc80dff60815e3706af448f086ddc3b98dhttps://github.com/zopefoundation/Zope/security/advisories/GHSA-m755-gxxg-r5qh
2023-10-04
Published