CVE-2023-42458
Last modified
CVE-2023-42458 is a medium-severity vulnerability rated 5.4/10 on the CVSS scale. Zope is an open-source web application server. Prior to versions 4.8.10 and 5.8.5, there is a stored cross site scripting vulnerability for SVG images. EPSS estimates a 0.60% chance of exploitation in the next 30 days.
Description
Zope is an open-source web application server. Prior to versions 4.8.10 and 5.8.5, there is a stored cross site scripting vulnerability for SVG images. Note that an image tag with an SVG image as source is never vulnerable, even when the SVG image contains malicious code. To exploit the vulnerability, an attacker would first need to upload an image, and then trick a user into following a specially crafted link. Patches are available in Zope 4.8.10 and 5.8.5. As a workaround, make sure the "Add Documents, Images, and Files" permission is only assigned to trusted roles. By default, only the Manager has this permission.
Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Zope | Zope | < 4.8.10 |
| Zope | Zope | >= 5.0.0, < 5.8.5 |
References
- http://www.openwall.com/lists/oss-security/2023/09/22/2Exploit, Third Party Advisory
- https://github.com/zopefoundation/Zope/security/advisories/GHSA-wm8q-9975-xh5vThird Party Advisory
- http://www.openwall.com/lists/oss-security/2023/09/22/2Exploit, Third Party Advisory
- https://github.com/zopefoundation/Zope/security/advisories/GHSA-wm8q-9975-xh5vThird Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2023-42458?
How severe is CVE-2023-42458?
How do I fix CVE-2023-42458?
Are you affected by CVE-2023-42458?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST