CVE-2017-1000482
MEDIUM5.4EPSS 0.29%Products.CMFPlone XSS in profile home_page property
Published: 5/14/2022Modified: 10/18/2024
Description
A member of the Plone site could set javascript in the `home_page` property of their profile, and have this executed when a visitor clicks the home page link on the author page.
Affected packages (3)
- PyPI/plone>= 2.5a1, < 4.3.16
- PyPI/plone>= 2.5, < 4.3.16, >= 5, < 5.1.0
- PyPI/products-cmfplonefrom 0, < 4.3.17
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N |
| osv | CVSS 3.1 | MEDIUM5.4 | CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
References (13)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2017-1000482
- PATCHhttps://github.com/plone/Products.CMFPlone
- WEBhttps://github.com/plone/Products.CMFPlone/commit/05a943ecbcdda56bacc93b55c9e2e908d8a7dfab
- WEBhttps://github.com/plone/Products.CMFPlone/commit/0e50e1e67ea3b6d3187f78cb1a1628081f654d3b
- WEBhttps://github.com/plone/Products.CMFPlone/commit/236b62b756ff46a92783b3897e717dfb15eb07d8
- WEBhttps://github.com/plone/Products.CMFPlone/commit/7db5b2c8fb684055987b8c4fdedc29289bd26373
- WEBhttps://github.com/plone/Products.CMFPlone/issues/2232
- WEBhttps://github.com/plone/Products.CMFPlone/pull/2233
- WEBhttps://github.com/plone/Products.CMFPlone/pull/2234
- WEBhttps://github.com/plone/Products.CMFPlone/pull/2235
- WEBhttps://github.com/plone/Products.CMFPlone/pull/2236
- WEBhttps://github.com/pypa/advisory-database/tree/main/vulns/plone/PYSEC-2018-71.yaml
- WEBhttps://plone.org/security/hotfix/20171128/xss-using-the-home_page-member-property