CVE-2017-1000482
unknown
CVSS v3
—
CVSS v2
—
VIR risk
—
Description
A member of the Plone 2.5-5.1rc1 site could set javascript in the home_page property of his profile, and have this executed when a visitor click the home page link on the author page.
Predictions
Exploit likelihood
30%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No vendor mitigations ingested yet for this CVE. The mitigation-content worker queues fetches as references arrive — check back in a few minutes, or see the references list below.
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| PyPI | products-cmfplone | <4.3.17 | 4.3.17 |
| PyPI | products-cmfplone | >=5.0.0,<5.0.10 | 5.0.10 |
| PyPI | products-cmfplone | >=5.1a1,<5.1.0 | 5.1.0 |
| PyPI | plone | >=2.5a1,<4.3.16 | 4.3.16 |
| PyPI | plone | >=5.0a1,<5.1.0 | 5.1.0 |
| PyPI | plone | >=5,<5.1.0 | 4.3.16 |
References
- https://nvd.nist.gov/vuln/detail/CVE-2017-1000482
- https://github.com/plone/Products.CMFPlone/issues/2232
- https://github.com/plone/Products.CMFPlone/pull/2233
- https://github.com/plone/Products.CMFPlone/pull/2234
- https://github.com/plone/Products.CMFPlone/pull/2235
- https://github.com/plone/Products.CMFPlone/pull/2236
- https://github.com/plone/Products.CMFPlone/commit/05a943ecbcdda56bacc93b55c9e2e908d8a7dfab
- https://github.com/plone/Products.CMFPlone/commit/0e50e1e67ea3b6d3187f78cb1a1628081f654d3b
- https://github.com/plone/Products.CMFPlone/commit/236b62b756ff46a92783b3897e717dfb15eb07d8
- https://github.com/plone/Products.CMFPlone/commit/7db5b2c8fb684055987b8c4fdedc29289bd26373
- https://github.com/plone/Products.CMFPlone
- https://github.com/pypa/advisory-database/tree/main/vulns/plone/PYSEC-2018-71.yaml
- https://plone.org/security/hotfix/20171128/xss-using-the-home_page-member-property
Verify integrity in audit chain (admin only). AS-IS.