Plone: stored XSS in folder contents

[Maurits van Rees <maurits () vanrees org>]

A very good day to all you lovely people!

Matt Moreschi discovered a vulnerability in Plone and reported it to the 
security list, security () plone org.
In Plone 5.0.0 through 5.2.4, Editors are vulnerable to XSS in the 
folder contents view, if a Contributor has created a folder with a 
SCRIPT tag in the description field.
Full information is here: 
https://plone.org/security/hotfix/20210518/stored-xss-in-folder-contents
Since we had recently created a hotfix package, we decided to include a 
fix in a new version, 1.5.
This is available from 
https://pypi.org/project/Products.PloneHotfix20210518/1.5/ and 
https://plone.org/security/hotfix/20210518
The fix will be included in the affected package plone.app.content 
3.8.8, which will be included in Plone 5.2.5, expected in July.

CVE number is CVE-2021-35959:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35959

Thanks,

--
Maurits van Rees https://maurits.vanrees.org/