Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1oYzVjLXI4bTUtMmdmaM4AA1_4
plone.restapi vulnerable to Stored Cross Site Scripting with SVG image in user portrait
Impact
There is a stored cross site scripting vulnerability for SVG images uploaded in user portraits.
Note that a page that uses an image tag with an SVG image as source is never vulnerable, even when the SVG image contains malicious code. To exploit the vulnerability, an attacker would first need to upload an SVG image as user portrait, and then trick a user into following a link to this portrait.
Patches
A patch will be released in plone.restapi 8.43.3. This version is good for Plone 6.0, and for Plone 5.2 on Python 3.
In plone.restapi 7 or earlier there was no @portrait endpoint yet, so there is nothing to fix in that version. It is still vulnerable to this attack, and needs a fix in Zope 4. These two vulnerabilities share the same CVE: CVE-2023-42458.
Workarounds
You could remove the portrait field from the member data schema, and possibly remove all portraits that are already in the database, but this seems a bit drastic.
Permalink: https://github.com/advisories/GHSA-hc5c-r8m5-2gfhJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1oYzVjLXI4bTUtMmdmaM4AA1_4
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: 7 months ago
Updated: 7 months ago
CVSS Score: 3.7
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N
Identifiers: GHSA-hc5c-r8m5-2gfh
References:
- https://github.com/plone/plone.restapi/security/advisories/GHSA-hc5c-r8m5-2gfh
- https://github.com/zopefoundation/Zope/security/advisories/GHSA-wm8q-9975-xh5v
- https://github.com/plone/plone.restapi/commit/5f44c23ac69db7d6d933d77f177e07603cf05f8b
- https://github.com/advisories/GHSA-hc5c-r8m5-2gfh
Blast Radius: 8.0
Affected Packages
pypi:plone.restapi
Dependent packages: 38Dependent repositories: 141
Downloads: 8,902 last month
Affected Version Ranges: >= 8.0.0, < 8.43.3
Fixed in: 8.43.3
All affected versions: 8.0.0, 8.1.0, 8.2.0, 8.3.0, 8.3.1, 8.3.2, 8.4.0, 8.4.1, 8.5.0, 8.6.0, 8.6.1, 8.7.0, 8.7.1, 8.8.0, 8.8.1, 8.9.0, 8.9.1, 8.10.0, 8.11.0, 8.12.0, 8.12.1, 8.13.0, 8.14.0, 8.15.0, 8.15.1, 8.15.2, 8.15.3, 8.16.0, 8.16.1, 8.16.2, 8.17.0, 8.18.0, 8.18.1, 8.19.0, 8.20.0, 8.21.0, 8.21.1, 8.21.2, 8.22.0, 8.23.0, 8.24.0, 8.24.1, 8.25.0, 8.25.1, 8.26.0, 8.27.0, 8.28.0, 8.29.0, 8.30.0, 8.31.0, 8.32.0, 8.32.1, 8.32.2, 8.32.3, 8.32.4, 8.32.5, 8.32.6, 8.33.0, 8.33.1, 8.33.2, 8.33.3, 8.34.0, 8.35.0, 8.35.1, 8.35.2, 8.35.3, 8.36.0, 8.36.1, 8.37.0, 8.38.0, 8.39.0, 8.39.1, 8.39.2, 8.40.0, 8.41.0, 8.42.0, 8.42.1, 8.43.0, 8.43.1, 8.43.2
All unaffected versions: 1.0.0, 1.1.0, 1.2.0, 1.3.0, 1.3.1, 1.4.0, 1.4.1, 1.5.0, 1.6.0, 2.0.0, 2.0.1, 2.1.0, 2.2.0, 2.2.1, 3.0.0, 3.1.0, 3.2.0, 3.2.1, 3.2.2, 3.3.0, 3.4.0, 3.4.1, 3.4.2, 3.4.3, 3.4.4, 3.4.5, 3.5.0, 3.5.1, 3.5.2, 3.6.0, 3.7.0, 3.7.1, 3.7.2, 3.7.3, 3.7.4, 3.7.5, 3.8.0, 3.8.1, 3.9.0, 4.0.0, 4.1.0, 4.1.1, 4.1.2, 4.1.3, 4.1.4, 4.2.0, 4.3.0, 4.3.1, 4.4.0, 4.5.0, 4.5.1, 4.6.0, 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.1.0, 6.0.0, 6.1.0, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.3.0, 6.4.0, 6.4.1, 6.5.0, 6.5.1, 6.5.2, 6.6.0, 6.6.1, 6.7.0, 6.8.0, 6.8.1, 6.9.0, 6.9.1, 6.10.0, 6.11.0, 6.12.0, 6.13.0, 6.13.1, 6.13.2, 6.13.3, 6.13.4, 6.13.5, 6.13.6, 6.13.7, 6.13.8, 6.14.0, 6.15.0, 6.15.1, 7.0.0, 7.1.0, 7.2.0, 7.2.1, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.7, 7.3.8, 7.4.0, 7.4.1, 7.5.0, 7.6.0, 7.7.0, 7.7.1, 7.8.0, 7.8.1, 7.8.2, 7.8.3, 7.9.0, 8.43.3, 9.0.0, 9.1.0, 9.1.1, 9.1.2, 9.2.0, 9.2.1, 9.3.0, 9.4.0, 9.4.1, 9.4.2, 9.5.0, 9.6.0, 9.6.1