oss-sec mailing list archives
Plone security hotfix 20210518
From: Maurits van Rees <maurits () vanrees org>
Date: Fri, 21 May 2021 16:07:57 +0200
A Plone security hotfix was released on Tuesday, May 18 2021. For details, see https://plone.org/security/hotfix/20210518 Most CVE numbers are not yet issued. I will request them from Mitre shortly.BTW, I am following the instructions at https://oss-security.openwall.org/wiki/mailing-lists/oss-security#cve-requests to first post to this list, then request CVEs at Mitre, then reply to my own post. I don't see many other people doing it in this order. Is that page still accurate?
Versions Affected: All supported Plone versions (4.3.20 and any earlier 4.3.x version, 5.2.4 and any earlier 5.x version).
Versions Not Affected: None. Earlier versions may be affected, but the hotfix has not been tested on them.
The patch addresses several security issues:- Remote Code Execution via traversal in expressions. Reported by David Miller. CVE-2021-32633. - Writing arbitrary files via docutils and Python Script. Reported by Calum Hutton. - Various information disclosures: mostly installation logs. Reported by Calum Hutton. CVE-2021-21360 and CVE-2021-21336. - Stored XSS from file upload (svg, html). Reported separately by Emir Cüneyt Akkutlu and Tino Kautschke.
- Reflected XSS in various spots. Reported by Calum Hutton. - XSS vulnerability in CMFDiffTool. Reported by Igor Margitich. - Stored XSS from user fullname. Reported by Tino Kautschke.- Blind SSRF via feedparser accessing an internal URL. Reported by Subodh Kumar Shree. - Server Side Request Forgery via event ical URL. Reported by MisakiKata and David Miller. - Server Side Request Forgery via lxml parser. Reported by MisakiKata and David Miller.
A hotfix package has been created at https://pypi.org/project/Products.PloneHotfix20210518/
The fixes will be incorporated in future release Plone 5.2.5. -- Maurits van Rees https://maurits.vanrees.org/ Plone Security Team security () plone org
Current thread:
- Plone security hotfix 20210518 Maurits van Rees (May 21)
- Re: Plone security hotfix 20210518 Maurits van Rees (May 22)