|
Description
|
|
Some vulnerabilities have been reported in Plone, which can be exploited by malicious users to bypass certain security restrictions and by malicious people to conduct cross-site scripting and script insertion attacks
1) Certain input passed to the application is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
2) Certain input passed via a markup to Portal.PortalTransforms is not properly sanitised before being used. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when the malicious data is being viewed.
3) An error in plone.app.users does not properly check for authorisation and can be exploited to edit properties of other users.
NOTE: This vulnerability is reportedly being actively exploited.
|
