CVE-2023-42458
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2023-42458
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-42458.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2023-42458
- Aliases
- Related
- Published
- 2023-09-21T17:15:22Z
- Modified
- 2025-01-15T04:58:26.372516Z
- Severity
-
- 5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
- Summary
- [none]
- Details
-
Zope is an open-source web application server. Prior to versions 4.8.10 and 5.8.5, there is a stored cross site scripting vulnerability for SVG images. Note that an image tag with an SVG image as source is never vulnerable, even when the SVG image contains malicious code. To exploit the vulnerability, an attacker would first need to upload an image, and then trick a user into following a specially crafted link. Patches are available in Zope 4.8.10 and 5.8.5. As a workaround, make sure the "Add Documents, Images, and Files" permission is only assigned to trusted roles. By default, only the Manager has this permission.
- References
-
- https://github.com/zopefoundation/Zope/security/advisories/GHSA-wm8q-9975-xh5v
- http://www.openwall.com/lists/oss-security/2023/09/22/2
- https://github.com/zopefoundation/Zope/commit/26a55dbc301db417f47cafda6fe0f983b5690088
- https://github.com/zopefoundation/Zope/commit/603b0a12881c90a072a7a65e32d47ed898ce37cb
Affected packages
Git / github.com/zopefoundation/zope
Affected ranges
- Type
- GIT
- Repo
- https://github.com/zopefoundation/zope
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixedFixedFixedFixed
Affected versions
2.*
2.12.27
2.12.28
2.13.20
2.13.21
2.13.22
4.*
4.0
4.0a1
4.0a2
4.0a3
4.0a4
4.0a5
4.0a6
4.0b1
4.0b10
4.0b2
4.0b3
4.0b4
4.0b5
4.0b6
4.0b7
4.0b8
4.0b9
4.1
4.1.1
4.1.2
4.1.3
4.2
4.2.1
4.3
4.4
4.4.1
4.4.2
4.4.3
4.4.4
4.5
4.5.1
4.5.2
4.5.3
4.5.4
4.5.5
4.6
4.6.1
4.6.2
4.6.3
4.7
4.8
4.8.1
4.8.2
4.8.3
4.8.4
4.8.5
4.8.6
4.8.7
4.8.8
4.8.9
5.*
5.0
5.0a1
5.0a2
5.1
5.1.1
5.1.2
5.2
5.2.1
5.3
5.4
5.5
5.5.1
5.5.2
5.6
5.7
5.7.1
5.7.2
5.7.3
5.8
5.8.1
5.8.2
5.8.3
5.8.4
backups/Zope-2.*
backups/Zope-2.9@40221
Other
backups/Zope-2_9-branch@40220
backups/ajung-2-11-prep-branch@82440
backups/ajung-zcatalog-progress@26609
backups/ajung-zpt-encoding-fixes@71736
backups/ajung-zpt-end-game@68335
backups/andig-catalog-report@115049
backups/gotcha-processlifetime@113938
backups/hannosch-dtml-vs-accesscontrol@113161
backups/jim-move-Zope@29064
backups/philikon-zope32-integration@39849
backups/rochael-TM_sortKey@113726
backups/slinkp-collector_596@40067
backups/shh-2.*
backups/shh-2.11-zopelitelayer@80865
backups/tim-2.*
backups/tim-2.9-windows-installer@41463