CVE-2020-7937

unknown

Published 2022-05-24 · Modified 2023-11-08

CVSS v3

—

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVSS v2

—

VIR risk

—

Description

An XSS issue in the title field in Plone 5.0 through 5.2.1 allows users with a certain privilege level to insert JavaScript that will be executed when other users access the site.

Predictions

Exploit likelihood

30%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No vendor mitigations ingested yet for this CVE. The mitigation-content worker queues fetches as references arrive — check back in a few minutes, or see the references list below.

Package impact

Ecosystem	Package	Vulnerable	Fixed
PyPI	plone	`>=5.0,<=5.2.1`
PyPI	plone	`>=5.0,<5.2.2`	`5.2.2`

References

https://nvd.nist.gov/vuln/detail/CVE-2020-7937
https://github.com/plone/Plone
https://github.com/pypa/advisory-database/tree/main/vulns/plone/PYSEC-2020-86.yaml
https://plone.org/security/hotfix/20200121
https://plone.org/security/hotfix/20200121/xss-in-the-title-field-on-plone-5-0-and-higher
https://www.openwall.com/lists/oss-security/2020/01/22/1
http://www.openwall.com/lists/oss-security/2020/01/24/1

Verify integrity in audit chain (admin only). AS-IS.