Plone: cache poisoning in image_view_fullscreen

[Maurits van Rees <maurits () vanrees org>]

Plone is vulnerable to reflected cross site scripting and open redirect 
when an attacker can get a compromised version of the 
image_view_fullscreen page in a cache, for example in Varnish.
The technique is known as cache poisoning.
Any later visitor can get redirected when clicking on a link on this page.
Usually only anonymous users are affected, but this depends on your 
cache settings.

Versions Affected: All supported Plone versions (4.3.20 and any earlier 
4.3.x version, 5.2.6 and any earlier 5.x version, 6.0.0a2 and any 
earlier 6.0.0 version).

There are updated packages for Plone 5.2:

plone.app.contenttypes 2.2.3
Products.ATContentTypes 3.0.6

And updated packages for 6.0 (which is in alpha):

plone.app.contenttypes 3.0.0a9

With the default version pins, new Plone 5.2.7 and 6.0.0a3 are not 
affected. Earlier versions are.

CVE number: CVE-2022-23599.

More information:

- GitHub: 
https://github.com/plone/Products.CMFPlone/security/advisories/GHSA-8w54-22w9-3g8f
- community.plone.org: 
https://community.plone.org/t/security-fix-for-image-view-fullscreen-cache-poisoning/14757?u=mauritsvanrees
- plone.org: https://plone.org/security/hotfix/20220128

--
Maurits van Rees https://maurits.vanrees.org/