Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS13bThxLTk5NzUteGg1ds4AA1_u

Zope vulnerable to Stored Cross Site Scripting with SVG images

Impact

There is a stored cross site scripting vulnerability for SVG images.

Note that an image tag with an SVG image as source is never vulnerable, even when the SVG image contains malicious code. To exploit the vulnerability, an attacker would first need to upload an image, and then trick a user into following a specially crafted link.

All versions of Zope are impacted on sites that allow untrusted users to upload images.

Patches

Patches will be released in Zope 4.8.10 and 5.8.5.

Workarounds

Make sure the "Add Documents, Images, and Files" permission is only assigned to trusted roles. By default only the Manager has this permission.

Permalink: https://github.com/advisories/GHSA-wm8q-9975-xh5v
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS13bThxLTk5NzUteGg1ds4AA1_u
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: about 1 year ago
Updated: about 1 year ago

CVSS Score: 3.7
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N

Identifiers: GHSA-wm8q-9975-xh5v, CVE-2023-42458
References:

Repository: https://github.com/zopefoundation/Zope
Blast Radius: 7.6

Affected Packages

pypi:Zope

Dependent packages: 12
Dependent repositories: 113
Downloads: 1,574,027 last month
Affected Version Ranges: >= 5.8.0, <= 5.8.4, <= 4.8.9
Fixed in: 5.8.5, 4.8.10
All affected versions: 4.1.1, 4.1.2, 4.1.3, 4.2.1, 4.4.1, 4.4.2, 4.4.3, 4.4.4, 4.5.1, 4.5.2, 4.5.3, 4.5.4, 4.5.5, 4.6.1, 4.6.2, 4.6.3, 4.8.1, 4.8.2, 4.8.3, 4.8.4, 4.8.5, 4.8.6, 4.8.7, 4.8.8, 4.8.9, 5.8.1, 5.8.2, 5.8.3, 5.8.4
All unaffected versions: 4.8.10, 4.8.11, 5.1.1, 5.1.2, 5.2.1, 5.5.1, 5.5.2, 5.7.1, 5.7.2, 5.7.3, 5.8.5, 5.8.6, 5.11.1