CVE-2023-42458

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2023-42458
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-42458.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2023-42458
Aliases
Published
2023-09-21T16:34:11.747Z
Modified
2026-04-02T09:21:37.578241Z
Severity
  • 3.7 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N CVSS Calculator
Summary
Zope vulnerable to Stored Cross Site Scripting with SVG images
Details

Zope is an open-source web application server. Prior to versions 4.8.10 and 5.8.5, there is a stored cross site scripting vulnerability for SVG images. Note that an image tag with an SVG image as source is never vulnerable, even when the SVG image contains malicious code. To exploit the vulnerability, an attacker would first need to upload an image, and then trick a user into following a specially crafted link. Patches are available in Zope 4.8.10 and 5.8.5. As a workaround, make sure the "Add Documents, Images, and Files" permission is only assigned to trusted roles. By default, only the Manager has this permission.

Database specific 
{
    "cwe_ids": [
        "CWE-79",
        "CWE-80"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/42xxx/CVE-2023-42458.json"
}
References

Affected packages

Git / github.com/zopefoundation/zope

Affected ranges

Type
GIT
Repo
https://github.com/zopefoundation/zope
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
13596dfeb44456dd144126c9b4da1ac442f759a7

Affected versions

Other
2-8-6
2-8-7
2-8-8
Zope-2-8-0
Zope-2-8-0-a1
Zope-2-8-0-a2
Zope-2-8-0-b1
Zope-2-8-0-b2
Zope-2-8-1
Zope-2-8-1-b1
Zope-2-8-2
Zope-2-8-3
Zope-2-8-4
Zope-2-8-6
ajung-final-zpt-integration-before-merge-savepoint
backups/Zope-2_9-branch@40220
backups/acripps-resourceViewletDirective@75991
backups/ajung-2-11-prep-branch@82440
backups/ajung-epi-integration@29916
backups/ajung-final-zpt-integration@68335
backups/ajung-translatationservice@30288
backups/ajung-zcatalog-progress@26609
backups/ajung-zpt-encoding-fixes@71736
backups/ajung-zpt-end-game@68335
backups/ajung-zpt-integration@68335
backups/ajung-zpt-strict-unicode@68335
backups/andig-catalog-report@115049
backups/chrism-mountpoint@39745
backups/davisagli-copy-export@123222
backups/dc-bobo_traverse-branch@28330
backups/dc-large_file-branch@28340
backups/easter-sprint_twistedserver@67155
backups/efge-five-events-work@40031
backups/gotcha-LP143531@113945
backups/gotcha-processlifetime@113938
backups/hannosch-dtml-vs-accesscontrol@113161
backups/jim-move-Zope@29064
backups/philikon-deprecate-interfaces@68354
backups/philikon-fix-lookup-priorities@66204
backups/philikon-local-components@67666
backups/philikon-zope32-integration@39849
backups/regebro-issue_1888@67834
backups/regebro-strftime_1127@67835
backups/regebro-unittest_docs@67835
backups/regebro-wsgi_refactor@67833
backups/regebro-zopectl_shellfix@67835
backups/rochael-TM_sortKey@113726
backups/slinkp-1447-httpcache-fix-branch@67981
backups/slinkp-collector_1895@38740
backups/slinkp-collector_596@40067
backups/slinkp_1726_zopeundo@40069
backups/tim-merge-zodb34@29764
backups/tseaver-catalog_getObject_raises@110393
backups/tseaver-clarify_install_docs@110394
backups/tseaver-collector_1460@110395
backups/tseaver-collector_1774@40462
backups/tseaver-five-integration-security@110396
backups/tseaver-five-integration-security@29697
backups/tseaver-instlib_as_site_dir@110397
backups/tseaver-no_globals_imports@94459
backups/tseaver-retire_zpkg@69009
backups/tyam-unicodeSplitterPatch@104722
backups/z4-zmi@124419
backups/zodb-blobs-branch@39746
backups/zope33-port@68354
before-merging-console-scripts-branch
cvs-to-svn-conversion
philikon-aq-checkpoint
2.*
2.10.0
2.10.0b1
2.10.0b2
2.10.0c1
2.10.1
2.10.10
2.10.11
2.10.12
2.10.13
2.10.2
2.10.2b1
2.10.3
2.10.4
2.10.5
2.10.6
2.10.7
2.10.8
2.10.9
2.11.0
2.11.0a1
2.11.0b1
2.11.0c1
2.11.1
2.11.2
2.11.3
2.11.4
2.11.5
2.11.6
2.11.7
2.11.8
2.12-last-fulltree-revision
2.12.0
2.12.0a1
2.12.0a2
2.12.0a3
2.12.0a4
2.12.0b1
2.12.0b2
2.12.0b3
2.12.0b4
2.12.0c1
2.12.1
2.12.10
2.12.11
2.12.12
2.12.13
2.12.14
2.12.15
2.12.16
2.12.17
2.12.18
2.12.19
2.12.2
2.12.20
2.12.21
2.12.22
2.12.23
2.12.24
2.12.25
2.12.26
2.12.27
2.12.28
2.12.3
2.12.4
2.12.5
2.12.6
2.12.7
2.12.8
2.12.9
2.13.0
2.13.0a1
2.13.0a2
2.13.0a3
2.13.0a4
2.13.0b1
2.13.0c1
2.13.1
2.13.10
2.13.11
2.13.12
2.13.13
2.13.14
2.13.15
2.13.16
2.13.17
2.13.18
2.13.19
2.13.2
2.13.20
2.13.21
2.13.22
2.13.23
2.13.24
2.13.25
2.13.26
2.13.27
2.13.28
2.13.29
2.13.3
2.13.30
2.13.4
2.13.5
2.13.6
2.13.7
2.13.8
2.13.9
2.8.10
2.8.11
2.8.12
2.8.9
2.8.9.1
2.9.0
2.9.0b1
2.9.0b2
2.9.1
2.9.10
2.9.12
2.9.2
2.9.3
2.9.4
2.9.5
2.9.6
2.9.7
2.9.8
2.9.9
4.*
4.0
4.0a1
4.0a2
4.0a3
4.0a4
4.0a5
4.0a6
4.0b1
4.0b10
4.0b2
4.0b3
4.0b4
4.0b5
4.0b6
4.0b7
4.0b8
4.0b9
4.1
4.1.1
4.1.2
4.1.3
4.2
4.2.1
4.3
4.4
4.4.1
4.4.2
4.4.3
4.4.4
4.5
4.5.1
4.5.2
4.5.3
4.5.4
4.5.5
4.6
4.6.1
4.6.2
4.6.3
4.7
4.8
4.8.1
4.8.10
4.8.11
4.8.2
4.8.3
4.8.4
4.8.5
4.8.6
4.8.7
4.8.8
4.8.9
5.*
5.0
5.0a1
5.0a2
5.1
5.1.1
5.1.2
5.2
5.2.1
5.3
5.4
5.5
5.5.1
5.5.2
5.6
5.7
5.7.1
5.7.2
5.7.3
5.8
5.8.1
5.8.2
5.8.3
5.8.4
Zope-2.*
Zope-2.8.5
backups/2.*
backups/2.10-with-ZODB3.8@83153
backups/2.10@68399
backups/Zope-2.*
backups/Zope-2.9@40221
backups/shh-2.*
backups/shh-2.11-zopelitelayer@80865
backups/tim-2.*
backups/tim-2.9-windows-installer@41463
backups/tseaver-2.*
backups/tseaver-2.11-no-z2-interfaces@110391
backups/tseaver-2.8-external_test@110392
backups/tseaver-2.8-external_test@29729
backups/tseaver-retire_zpkg-2.*
backups/tseaver-retire_zpkg-2.10@69010
backups/tseaver-zope.*
backups/tseaver-zope.app_delenda_est@110398
backups/witsch-2.*
backups/witsch-2.10-with-standard-docutils@76342
backups/witsch-zope2.*
backups/witsch-zope2.11-with-standard-docutils@83154

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-42458.json"