Cross-site scripting (XSS) vulnerability in the manage_findResult component in the search feature in Zope ZMI in Plone before 4.3.12 and 5.x before 5.0.7 allows remote attackers to inject arbitrary web script or HTML via vectors involving double quotes, as demonstrated by the obj_ids:tokens parameter. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-7140.
References
Link | Resource |
---|---|
http://www.securityfocus.com/bid/96117 | |
https://plone.org/security/hotfix/20170117 | Release Notes Patch Vendor Advisory |
https://plone.org/security/hotfix/20170117/non-persistent-xss-in-zope2 | Vendor Advisory |
https://www.curesec.com/blog/article/blog/Plone-XSS-186.html | Patch Third Party Advisory VDB Entry |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: mitre
Published: 2017-02-04T05:20:00
Updated: 2017-02-09T10:57:02
Reserved: 2016-09-05T00:00:00
Link: CVE-2016-7147
JSON object: View
NVD Information
Status : Modified
Published: 2017-02-04T05:59:00.130
Modified: 2017-02-10T02:59:01.950
Link: CVE-2016-7147
JSON object: View
Redhat Information
No data.
CWE