===================================================================== CERT-Renater Note d'Information No. 2023/VULN377 _____________________________________________________________________ DATE : 06/10/2023 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Zope versions prior to 4.8.11, 5.8.6. ===================================================================== https://github.com/zopefoundation/Zope/security/advisories/GHSA-m755-gxxg-r5qh _____________________________________________________________________ Stored cross site scripting via the title property in the Zope management interface Low dataflake published GHSA-m755-gxxg-r5qh Package Zope (pip) Affected versions < 4.8.11, < 5.8.6 Patched versions 4.8.11, 5.8.6 Description Impact The title property, available on most Zope objects, can be used to store script code that is executed while viewing the affected object in the Zope Management Interface (ZMI) because the title property is displayed unquoted in the breadcrumbs element. All versions of Zope 4 and Zope 5 are affected. Patches Patches will be released with Zope versions 4.8.11 and 5.8.6 Workarounds Make sure only Manager users can edit and view Zope objects in the Zope Management Interface. This is the default. Severity Low 3.1/ 10 CVSS base metrics Attack vector Network Attack complexity High Privileges required High User interaction Required Scope Unchanged Confidentiality Low Integrity Low Availability None CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N CVE ID CVE-2023-44389 Weaknesses No CWEs Credits @dataflake dataflake Coordinator @drfho drfho Remediation developer @icemac icemac Remediation reviewer @d-maurer d-maurer Remediation reviewer ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================