<!--X-Body-Begin-->
<!--X-User-Header-->
oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->
By Date
By Thread
</form>
<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
Plone security hotfix 20210518
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->
From: Maurits van Rees <maurits () vanrees org>
Date: Fri, 21 May 2021 16:07:57 +0200
<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
A Plone security hotfix was released on Tuesday, May 18 2021.
For details, see https://plone.org/security/hotfix/20210518
Most CVE numbers are not yet issued. I will request them from Mitre shortly.
BTW, I am following the instructions at
https://oss-security.openwall.org/wiki/mailing-lists/oss-security#cve-requests
to first post to this list, then request CVEs at Mitre, then reply to my
own post.
I don't see many other people doing it in this order. Is that page still
accurate?
Versions Affected: All supported Plone versions (4.3.20 and any earlier
4.3.x version, 5.2.4 and any earlier 5.x version).
Versions Not Affected: None. Earlier versions may be affected, but the
hotfix has not been tested on them.
The patch addresses several security issues:
- Remote Code Execution via traversal in expressions. Reported by David
Miller. CVE-2021-32633.
- Writing arbitrary files via docutils and Python Script. Reported by
Calum Hutton.
- Various information disclosures: mostly installation logs. Reported by
Calum Hutton. CVE-2021-21360 and CVE-2021-21336.
- Stored XSS from file upload (svg, html). Reported separately by Emir
Cüneyt Akkutlu and Tino Kautschke.
- Reflected XSS in various spots. Reported by Calum Hutton.
- XSS vulnerability in CMFDiffTool. Reported by Igor Margitich.
- Stored XSS from user fullname. Reported by Tino Kautschke.
- Blind SSRF via feedparser accessing an internal URL. Reported by
Subodh Kumar Shree.
- Server Side Request Forgery via event ical URL. Reported by MisakiKata
and David Miller.
- Server Side Request Forgery via lxml parser. Reported by MisakiKata
and David Miller.
A hotfix package has been created at
https://pypi.org/project/Products.PloneHotfix20210518/
The fixes will be incorporated in future release Plone 5.2.5.
--
Maurits van Rees https://maurits.vanrees.org/
Plone Security Team security () plone org
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
By Date
By Thread
Current thread:
Plone security hotfix 20210518 Maurits van Rees (May 21)
Re: Plone security hotfix 20210518 Maurits van Rees (May 22)
<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->