A Plone security hotfix was released on Tuesday, May 18 2021.
For details, see https://plone.org/security/hotfix/20210518
Most CVE numbers are not yet issued. I will request them from Mitre shortly.
The patch addresses several security issues:
- Reflected XSS in various spots. Reported by Calum Hutton.
- XSS vulnerability in CMFDiffTool. Reported by Igor Margitich.
- Stored XSS from user fullname. Reported by Tino Kautschke.
The fixes will be incorporated in future release Plone 5.2.5.
--
Maurits van Rees https://maurits.vanrees.org/
Plone Security Team security () plone org