CVE-2023-41048

plone.namedfile vulnerable to Stored Cross Site Scripting with SVG images

Severity Score

5.4

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

plone.namedfile allows users to handle `File` and `Image` fields targeting, but not depending on, Plone Dexterity content. Prior to versions 5.6.1, 6.0.3, 6.1.3, and 6.2.1, there is a stored cross site scripting vulnerability for SVG images. A security hotfix from 2021 already partially fixed this by making sure SVG images are always downloaded instead of shown inline. But the same problem still exists for scales of SVG images. Note that an image tag with an SVG image as source is not vulnerable, even when the SVG image contains malicious code. To exploit the vulnerability, an attacker would first need to upload an image, and then trick a user into following a specially crafted link. Patches are available in versions 5.6.1 (for Plone 5.2), 6.0.3 (for Plone 6.0.0-6.0.4), 6.1.3 (for Plone 6.0.5-6.0.6), and 6.2.1 (for Plone 6.0.7). There are no known workarounds.

plone.namedfile permite a los usuarios manejar los campos `File` e `Image` dirigidos, pero no dependiendo del contenido de Plone Dexterity. Antes de las versiones 5.6.1, 6.0.3, 6.1.3 y 6.2.1, existe una vulnerabilidad de Cross-Site Scripting almacenado para imágenes SVG. Una revisión de seguridad de 2021 ya solucionó parcialmente este problema al garantizar que las imágenes SVG siempre se descarguen en lugar de mostrarse en línea. Pero el mismo problema todavía existe para las escalas de imágenes SVG. Tenga en cuenta que una etiqueta de imagen con una imagen SVG como fuente no es vulnerable, incluso cuando la imagen SVG contiene código malicioso. Para explotar la vulnerabilidad, un atacante primero tendría que cargar una imagen y luego engañar al usuario para que siga un enlace especialmente manipulado. Los parches están disponibles en las versiones 5.6.1 (para Plone 5.2), 6.0.3 (para Plone 6.0.0-6.0.4), 6.1.3 (para Plone 6.0.5-6.0.6) y 6.2.1 (para Plón 6.0.7). No se conocen workarounds.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

Required

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2023-08-22 CVE Reserved
2023-09-21 CVE Published
2024-08-02 CVE Updated
2024-08-21 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

CAPEC

References (7)

URL	Tag	Source
http://www.openwall.com/lists/oss-security/2023/09/22/2	Mailing List
https://github.com/plone/Products.PloneHotfix20210518	Product

URL	Date	SRC

URL	Date	SRC
https://github.com/plone/plone.namedfile/commit/188f66a4577021cf8f2bf7c0f5150f9b9573f167	2023-09-26
https://github.com/plone/plone.namedfile/commit/217d6ce847b7171bf1b73fcb6c08010eb449216a	2023-09-26
https://github.com/plone/plone.namedfile/commit/f0f911f2a72b2e5c923dc2ab9179319cc47788f9	2023-09-26
https://github.com/plone/plone.namedfile/commit/ff5269fb4c79f4eb91dd934561b8824a49a03b60	2023-09-26

URL	Date	SRC
https://github.com/plone/plone.namedfile/security/advisories/GHSA-jj7c-jrv4-c65x	2023-09-26

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Plone Search vendor "Plone"	Namedfile Search vendor "Plone" for product "Namedfile"	< 5.6.1 Search vendor "Plone" for product "Namedfile" and version " < 5.6.1"	-	Affected	in	Plone Search vendor "Plone"	Plone Search vendor "Plone" for product "Plone"	5.2 Search vendor "Plone" for product "Plone" and version "5.2"	-	Safe
Plone Search vendor "Plone"	Namedfile Search vendor "Plone" for product "Namedfile"	>= 6.0.0 < 6.0.3 Search vendor "Plone" for product "Namedfile" and version " >= 6.0.0 < 6.0.3"	-	Affected	in	Plone Search vendor "Plone"	Plone Search vendor "Plone" for product "Plone"	>= 6.0.0 <= 6.0.4 Search vendor "Plone" for product "Plone" and version " >= 6.0.0 <= 6.0.4"	-	Safe
Plone Search vendor "Plone"	Namedfile Search vendor "Plone" for product "Namedfile"	>= 6.1.0 < 6.1.3 Search vendor "Plone" for product "Namedfile" and version " >= 6.1.0 < 6.1.3"	-	Affected	in	Plone Search vendor "Plone"	Plone Search vendor "Plone" for product "Plone"	6.0.5 Search vendor "Plone" for product "Plone" and version "6.0.5"	-	Safe
Plone Search vendor "Plone"	Namedfile Search vendor "Plone" for product "Namedfile"	>= 6.1.0 < 6.1.3 Search vendor "Plone" for product "Namedfile" and version " >= 6.1.0 < 6.1.3"	-	Affected	in	Plone Search vendor "Plone"	Plone Search vendor "Plone" for product "Plone"	6.0.6 Search vendor "Plone" for product "Plone" and version "6.0.6"	-	Safe
Plone Search vendor "Plone"	Namedfile Search vendor "Plone" for product "Namedfile"	6.2.0 Search vendor "Plone" for product "Namedfile" and version "6.2.0"	-	Affected	in	Plone Search vendor "Plone"	Plone Search vendor "Plone" for product "Plone"	6.0.7 Search vendor "Plone" for product "Plone" and version "6.0.7"	-	Safe