===================================================================== CERT-Renater Note d'Information No. 2023/VULN340 _____________________________________________________________________ DATE : 22/09/2023 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Zope versions prior to 4.8.10, 5.8.5, AccessControl versions prior to 4.4, 5.8, 6.2. ===================================================================== https://github.com/zopefoundation/Zope/security/advisories/GHSA-wm8q-9975-xh5v https://github.com/zopefoundation/AccessControl/security/advisories/GHSA-8xv7-89vj-q48c _____________________________________________________________________ Stored Cross Site Scripting with SVG images Low icemac published GHSA-wm8q-9975-xh5v Package Zope (pip) Affected versions <=4.8.9, <=5.8.4 Patched versions 4.8.10, 5.8.5 Description Impact There is a stored cross site scripting vulnerability for SVG images. Note that an image tag with an SVG image as source is never vulnerable, even when the SVG image contains malicious code. To exploit the vulnerability, an attacker would first need to upload an image, and then trick a user into following a specially crafted link. All versions of Zope are impacted on sites that allow untrusted users to upload images. Patches Patches will be released in Zope 4.8.10 and 5.8.5. Workarounds Make sure the "Add Documents, Images, and Files" permission is only assigned to trusted roles. By default only the Manager has this permission. Credits This was discovered by the Plone/Zope Security Team, after independent initial reports by Gustav Hansen and Faris Krivic. Thanks! Severity Low 3.7/ 10 CVSS base metrics Attack vector Network Attack complexity High Privileges required Low User interaction Required Scope Unchanged Confidentiality Low Integrity Low Availability None CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N CVE ID CVE-2023-42458 Weaknesses CWE-80 Credits @mauritsvanrees mauritsvanrees Remediation developer @icemac icemac Remediation reviewer _____________________________________________________________________ Information disclosure through Python's "format" functionality Moderate dataflake published GHSA-8xv7-89vj-q48c Package AccessControl Zope Affected versions AccessControl <= 4.3, <= 5.7, <=6.1 Zope <=4.8.8, <= 5.8.3 Patched versions AccessControl 4.4, 5.8, 6.2 Zope 4.8.9, 5.8.4 Description Impact Python's "format" functionality allows someone controlling the format string to "read" objects accessible (recursively) via attribute access and subscription from accessible objects. Those attribute accesses and subscriptions use Python's full blown getattr and getitem, not the policy restricted AccessControl variants _getattr_ and _getitem_. This can lead to critical information disclosure. AccessControl already provides a safe variant for str.format and denies access to string.Formatter. However, str.format_map is still unsafe. Affected are all users who allow untrusted users to create AccessControl controlled Python code and execute it. Patches A fix will be introduced in the versions 4.4, 5.8 and 6.2. Workarounds There are no workarounds. References GHSA-xjw2-6jm9-rf67 describes the corresponding problem for RestrictedPython. Severity Moderate 6.8/ 10 CVSS base metrics Attack vector Network Attack complexity Low Privileges required High User interaction None Scope Changed Confidentiality High Integrity None Availability None CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N CVE ID CVE-2023-41050 Weaknesses CWE-200 Credits @d-maurer d-maurer Remediation developer ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================