oss-sec mailing list archives
XSS In Zope
From: Kurt Seifried <kseifried () redhat com>
Date: Thu, 26 Feb 2015 10:38:20 -0700
So originally Radek Steoger of Red Hat found an XSS in luci/conga: ========== Within luci's use of Products.PluggableAuthService there appears to be an XSS, e.g.: https://luci.example.com:8084/acl_users/users/manage_updatePasswordForm?manage_tabs_message=%3Cscript%3Ealert('1234')%3C/script%3E ========== this was tracked down to being in Products.PluggableAuthService (a component of Zope). I notified the Zope security people, they tracked it down on their end, this was actually found/fixed in 2009: https://bugs.launchpad.net/zope2/+bug/490514 https://github.com/zopefoundation/Zope/commit/2abdf14620f146857dc8e3ffd2b6a754884c331d and the fix was forward ported from the 2.10 branch, as well as to the 2.11 branch and the trunk. The fix landed in: Zope 2.10.10 Zope 2.11.5 Zope 2.12.2 With thanks to Tres, Matt and Nathan for sorting this out/chasing it down on Zope's end (basically they did all the heavy lifting). So this should probably get a CVE from 2009. -- Kurt Seifried -- Red Hat -- Product Security -- Cloud PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- XSS In Zope Kurt Seifried (Feb 26)
- Re: XSS In Zope cve-assign (Mar 02)