oss-sec mailing list archives
Re: CVE Request: Plone XSS
From: cve-assign () mitre org
Date: Tue, 22 Sep 2015 16:57:20 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
https://plone.org/security/20150910/non-persistent-xss-in-plone https://github.com/plone/Products.CMFPlone/commit/3da710a2cd68587f0bf34f2e7ea1167d6eeee087
+ if ('<script' in url or '%3Cscript' in url or 'javascript:' in url or + 'javascript%3A' in url):
Use CVE-2015-7316. If more restrictions on url substrings are added later to address other XSS attack vectors, those would not be within the scope of CVE-2015-7316. The MITRE CVE team has not looked at whether any other change is needed. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJWAb2lAAoJEL54rhJi8gl5QmAQAIIj0j9BaJ9HfGiT5wsJ9QWd OVkPn6pb/dKcvLV+ZCL5ZmEkGAex7X7Jy8r8mZyePCEvdRkY7NLyv4VPbmaCmQX5 LOYppbBG+ZlA9gQxkUjY+YV9COrxWNG4vvTul05sPvM9CODhJz8tY4J9VIj5ESgn CQgxzeRlNHcewhvE4AvuQpZzBZXW/LFbKk4u1CWfJJxTosW8U4GWLmxZ3hRpAoOU RClHw+W4oqudBet/1rd4O/S6dVJz+7SJCDirKbeRyK2qaI0iZiIDw023Vg5tO2hS 1jll34TriDCKz/vspB6L7oSQTeUTkKpnpJ+cmMsimyEGRYvRrvfXLVOV3bMI+/tJ hGBbmm7YNAd3PX5IN1xrKt8CljACJvD0SAV13Ldbyk7FkhrvpsC0mqQzkmp8dW6D bKXjJdwmaMp+IJIzLdoSyqsgmDQM1FhIbc4QyGQ/LiO1RnUKIDgt2M8oSeraYiU8 vvXbMPtSj1RwPKyG1sU51tx2z27ktj0tY67wedoMwz7t6wvDw8lXa+Yj960QPKsg Ty+BsCipjADEDdPwgVBHR/ql0VEwPuohtnaJCjQBUcLsT69et2TC5duk0U9frNr/ EL+5yqumJ5KKQSf+L4xE8CS+83GyUoMGw1GpcddW0SKS/ChCNjN43rGlfe8yKSSb Y2CGXnGXmPqDmFB+xcU6 =oYlR -----END PGP SIGNATURE-----
Current thread:
- CVE Request: Plone XSS Nathan Van Gheem (Sep 19)
- Re: CVE Request: Plone XSS cve-assign (Sep 22)