Plone security hotfix 20210518

[Maurits van Rees <maurits () vanrees org>]

A Plone security hotfix was released on Tuesday, May 18 2021.
For details, see https://plone.org/security/hotfix/20210518
Most CVE numbers are not yet issued. I will request them from Mitre shortly.

BTW, I am following the instructions at 
https://oss-security.openwall.org/wiki/mailing-lists/oss-security#cve-requests 
to first post to this list, then request CVEs at Mitre, then reply to my 
own post.
I don't see many other people doing it in this order. Is that page still 
accurate?

Versions Affected: All supported Plone versions (4.3.20 and any earlier 
4.3.x version, 5.2.4 and any earlier 5.x version).

Versions Not Affected: None. Earlier versions may be affected, but the 
hotfix has not been tested on them.

The patch addresses several security issues:

- Remote Code Execution via traversal in expressions. Reported by David 
Miller. CVE-2021-32633.
- Writing arbitrary files via docutils and Python Script. Reported by 
Calum Hutton.
- Various information disclosures: mostly installation logs. Reported by 
Calum Hutton. CVE-2021-21360 and CVE-2021-21336.
- Stored XSS from file upload (svg, html). Reported separately by Emir 
Cüneyt Akkutlu and Tino Kautschke.
- Reflected XSS in various spots. Reported by Calum Hutton.
- XSS vulnerability in CMFDiffTool. Reported by Igor Margitich.
- Stored XSS from user fullname. Reported by Tino Kautschke.
- Blind SSRF via feedparser accessing an internal URL. Reported by 
Subodh Kumar Shree.
- Server Side Request Forgery via event ical URL. Reported by MisakiKata 
and David Miller.
- Server Side Request Forgery via lxml parser. Reported by MisakiKata 
and David Miller.

A hotfix package has been created at 
https://pypi.org/project/Products.PloneHotfix20210518/
The fixes will be incorporated in future release Plone 5.2.5.

--
Maurits van Rees https://maurits.vanrees.org/
Plone Security Team security () plone org