Skip to main content

Zope CVE-2023-44389

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2023-10-04 security-advisories@github.com
4.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.8 MEDIUM
AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
CVE Published
Oct 04, 2023 - 21:15 nvd
MEDIUM 4.8

DescriptionNVD

Zope is an open-source web application server. The title property, available on most Zope objects, can be used to store script code that is executed while viewing the affected object in the Zope Management Interface (ZMI). All versions of Zope 4 and Zope 5 are affected. Patches will be released with Zope versions 4.8.11 and 5.8.6.

AnalysisAI

Zope is an open-source web application server. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

Technical ContextAI

This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. Zope is an open-source web application server. The title property, available on most Zope objects, can be used to store script code that is executed while viewing the affected object in the Zope Management Interface (ZMI). All versions of Zope 4 and Zope 5 are affected. Patches will be released with Zope versions 4.8.11 and 5.8.6. Affected products include: Zope.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.

More in Zope

View all
CVE-2021-32633 HIGH POC
8.8 May 21

Zope is an open-source web application server. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitabl

CVE-2023-42458 MEDIUM POC
5.4 Sep 21

Zope is an open-source web application server. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploita

CVE-2012-6661 MEDIUM POC
5.0 Nov 03

Zope before 2.13.19, as used in Plone before 4.2.3 and 4.3 before beta 1, does not reseed the pseudo-random number gener

CVE-2021-32674 HIGH
8.8 Jun 08

Zope is an open-source web application server. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitabl

CVE-2023-41050 HIGH
7.7 Sep 06

AccessControl provides a general security framework for use in Zope. Rated high severity (CVSS 7.7), this vulnerability

CVE-2021-32811 HIGH
7.2 Aug 02

Zope is an open-source web application server. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitabl

CVE-2012-5489 MEDIUM
6.5 Sep 30

The App.Undo.UndoSupport.get_request_var_or_attr function in Zope before 2.12.21 and 3.13.x before 2.13.11, as used in P

CVE-2012-5486 MEDIUM
6.4 Sep 30

ZPublisher.HTTPRequest._scrubHeader in Zope 2 before 2.13.19, as used in Plone before 4.3 beta 1, allows remote attacker

CVE-2021-33507 MEDIUM
6.1 May 21

Zope Products.CMFCore before 2.5.1 and Products.PluggableAuthService before 2.6.2, as used in Plone through 5.2.4 and ot

CVE-2012-5507 MEDIUM
4.3 Sep 30

AccessControl/AuthEncoding.py in Zope before 2.13.19, as used in Plone before 4.2.3 and 4.3 before beta 1, allows remote

Share

CVE-2023-44389 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy