CVE-2023-44389 – zope

Package

Manager: pip
Name: zope
Vulnerable Version: >=4.0.0 <4.8.11 || >=5.0.0 <5.8.6

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00339 pctl0.55987

Details

Zope management interface vulnerable to stored cross site scripting via the title property ### Impact The title property, available on most Zope objects, can be used to store script code that is executed while viewing the affected object in the Zope Management Interface (ZMI) because the title property is displayed unquoted in the breadcrumbs element. All versions of Zope 4 and Zope 5 are affected. ### Patches Patches will be released with Zope versions 4.8.11 and 5.8.6. ### Workarounds Make sure only Manager users can edit and view Zope objects in the Zope Management Interface. This is the default.

Metadata

Created: 2023-10-04T18:50:25Z
Modified: 2024-11-19T19:15:48Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-m755-gxxg-r5qh/GHSA-m755-gxxg-r5qh.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-m755-gxxg-r5qh
Finding: F425
Auto approve: 1