Recent Vulnerabilities Research Posts Trends Blog About Contact

Related Vulnerabilities: CVE-2021-32633 CVE-2021-21360 CVE-2021-21336

Source

                							

                <!--X-Body-Begin-->
<!--X-User-Header-->

oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->

By Date

By Thread

</form>

<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
Plone security hotfix 20210518

<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->

From: Maurits van Rees &lt;maurits () vanrees org&gt;

Date: Fri, 21 May 2021 16:07:57 +0200

<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->

<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
A Plone security hotfix was released on Tuesday, May 18 2021.
For details, see https://plone.org/security/hotfix/20210518
Most CVE numbers are not yet issued. I will request them from Mitre shortly.

BTW, I am following the instructions at 
https://oss-security.openwall.org/wiki/mailing-lists/oss-security#cve-requests 
to first post to this list, then request CVEs at Mitre, then reply to my 
own post.
I don't see many other people doing it in this order. Is that page still 
accurate?

Versions Affected: All supported Plone versions (4.3.20 and any earlier 
4.3.x version, 5.2.4 and any earlier 5.x version).

Versions Not Affected: None. Earlier versions may be affected, but the 
hotfix has not been tested on them.

The patch addresses several security issues:

- Remote Code Execution via traversal in expressions. Reported by David 
Miller. CVE-2021-32633.
- Writing arbitrary files via docutils and Python Script. Reported by 
Calum Hutton.
- Various information disclosures: mostly installation logs. Reported by 
Calum Hutton. CVE-2021-21360 and CVE-2021-21336.
- Stored XSS from file upload (svg, html). Reported separately by Emir 
Cüneyt Akkutlu and Tino Kautschke.
- Reflected XSS in various spots. Reported by Calum Hutton.
- XSS vulnerability in CMFDiffTool. Reported by Igor Margitich.
- Stored XSS from user fullname. Reported by Tino Kautschke.
- Blind SSRF via feedparser accessing an internal URL. Reported by 
Subodh Kumar Shree.
- Server Side Request Forgery via event ical URL. Reported by MisakiKata 
and David Miller.
- Server Side Request Forgery via lxml parser. Reported by MisakiKata 
and David Miller.

A hotfix package has been created at 
https://pypi.org/project/Products.PloneHotfix20210518/
The fixes will be incorporated in future release Plone 5.2.5.

--
Maurits van Rees https://maurits.vanrees.org/
Plone Security Team security () plone org

<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->

<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->

By Date

By Thread

Current thread:

Plone security hotfix 20210518 Maurits van Rees (May 21)

Re: Plone security hotfix 20210518 Maurits van Rees (May 22)

<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

Plone security hotfix 20210518

Vulmon Search

About

Products

Connect