|
Message-ID: <0919707c-0f29-ac46-35f5-d6890faf0f4e@vanrees.org> Date: Fri, 21 May 2021 16:07:57 +0200 From: Maurits van Rees <maurits@...rees.org> To: oss-security@...ts.openwall.com Subject: Plone security hotfix 20210518 A Plone security hotfix was released on Tuesday, May 18 2021. For details, see https://plone.org/security/hotfix/20210518 Most CVE numbers are not yet issued. I will request them from Mitre shortly. BTW, I am following the instructions at https://oss-security.openwall.org/wiki/mailing-lists/oss-security#cve-requests to first post to this list, then request CVEs at Mitre, then reply to my own post. I don't see many other people doing it in this order. Is that page still accurate? Versions Affected: All supported Plone versions (4.3.20 and any earlier 4.3.x version, 5.2.4 and any earlier 5.x version). Versions Not Affected: None. Earlier versions may be affected, but the hotfix has not been tested on them. The patch addresses several security issues: - Remote Code Execution via traversal in expressions. Reported by David Miller. CVE-2021-32633. - Writing arbitrary files via docutils and Python Script. Reported by Calum Hutton. - Various information disclosures: mostly installation logs. Reported by Calum Hutton. CVE-2021-21360 and CVE-2021-21336. - Stored XSS from file upload (svg, html). Reported separately by Emir Cüneyt Akkutlu and Tino Kautschke. - Reflected XSS in various spots. Reported by Calum Hutton. - XSS vulnerability in CMFDiffTool. Reported by Igor Margitich. - Stored XSS from user fullname. Reported by Tino Kautschke. - Blind SSRF via feedparser accessing an internal URL. Reported by Subodh Kumar Shree. - Server Side Request Forgery via event ical URL. Reported by MisakiKata and David Miller. - Server Side Request Forgery via lxml parser. Reported by MisakiKata and David Miller. A hotfix package has been created at https://pypi.org/project/Products.PloneHotfix20210518/ The fixes will be incorporated in future release Plone 5.2.5. -- Maurits van Rees https://maurits.vanrees.org/ Plone Security Team security@...ne.org
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.