CVE-2023-44389 — Zope management interface vulnerable to stored cross site scripting via the titl

Description

Zope is an open-source web application server. The title property, available on most Zope objects, can be used to store script code that is executed while viewing the affected object in the Zope Management Interface (ZMI). All versions of Zope 4 and Zope 5 are affected. Patches will be released with Zope versions 4.8.11 and 5.8.6

How to fix CVE-2023-44389

To remediate CVE-2023-44389, upgrade the affected package to a fixed version below.

—upgrade to 4.8.11 or later
—upgrade to aeaf2cdc80dff60815e3706af448f086ddc3b98d or later

Is CVE-2023-44389 being exploited?

Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

>= 4.0.0, < 4.8.11
from 0, < aeaf2cdc80dff60815e3706af448f086ddc3b98d, < 21dfa78609ffd8b6bd8143805678ebbacae5141a | >= 5.0, < 5.8.6, >= 4.0, < 4.8.11

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	LOW3.1	CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-44389
PATCHgithub.com/zopefoundation/Zope
WEBgithub.com/pypa/advisory-database/tree/main/vulns/zope/PYSEC-2023-193.yaml
WEBgithub.com/zopefoundation/Zope/commit/21dfa78609ffd8b6bd8143805678ebbacae5141a