CVE-2017-1000482: Products.CMFPlone XSS in profile home_page property
(updated )
A member of the Plone site could set javascript in the home_page property of their profile, and have this executed when a visitor clicks the home page link on the author page.
References
- github.com/advisories/GHSA-859j-668v-mrr6
- github.com/plone/Products.CMFPlone
- github.com/plone/Products.CMFPlone/commit/05a943ecbcdda56bacc93b55c9e2e908d8a7dfab
- github.com/plone/Products.CMFPlone/commit/0e50e1e67ea3b6d3187f78cb1a1628081f654d3b
- github.com/plone/Products.CMFPlone/commit/236b62b756ff46a92783b3897e717dfb15eb07d8
- github.com/plone/Products.CMFPlone/commit/7db5b2c8fb684055987b8c4fdedc29289bd26373
- github.com/plone/Products.CMFPlone/issues/2232
- github.com/plone/Products.CMFPlone/pull/2233
- github.com/plone/Products.CMFPlone/pull/2234
- github.com/plone/Products.CMFPlone/pull/2235
- github.com/plone/Products.CMFPlone/pull/2236
- github.com/pypa/advisory-database/tree/main/vulns/plone/PYSEC-2018-71.yaml
- nvd.nist.gov/vuln/detail/CVE-2017-1000482
- plone.org/security/hotfix/20171128/xss-using-the-home_page-member-property
Detect and mitigate CVE-2017-1000482 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →