oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Plone security hotfix 20210518

From: Maurits van Rees <maurits () vanrees org>
Date: Sat, 22 May 2021 13:34:10 +0200
CVE numbers inline below. Thanks.

On 21/05/2021 16:07, Maurits van Rees wrote:

A Plone security hotfix was released on Tuesday, May 18 2021.
For details, see https://plone.org/security/hotfix/20210518
Most CVE numbers are not yet issued. I will request them from Mitre shortly.
BTW, I am following the instructions at https://oss-security.openwall.org/wiki/mailing-lists/oss-security#cve-requests to first post to this list, then request CVEs at Mitre, then reply to my own post. I don't see many other people doing it in this order. Is that page still accurate?
Versions Affected: All supported Plone versions (4.3.20 and any earlier 4.3.x version, 5.2.4 and any earlier 5.x version).
Versions Not Affected: None. Earlier versions may be affected, but the hotfix has not been tested on them. 

The patch addresses several security issues:
- Remote Code Execution via traversal in expressions. Reported by David Miller. CVE-2021-32633. - Writing arbitrary files via docutils and Python Script. Reported by Calum Hutton. 

CVE-2021-33509
- Various information disclosures: mostly installation logs. Reported by Calum Hutton. CVE-2021-21360 and CVE-2021-21336. - Stored XSS from file upload (svg, html). Reported separately by Emir Cüneyt Akkutlu and Tino Kautschke. 

CVE-2021-33512


- Reflected XSS in various spots. Reported by Calum Hutton.


CVE-2021-33507


- XSS vulnerability in CMFDiffTool. Reported by Igor Margitich.


CVE-2021-33513


- Stored XSS from user fullname. Reported by Tino Kautschke.


CVE-2021-33508 issued, but I forgot that the original reporter already reserved CVE-2021-3313 which is public now with 
his report.  My bad.
- Blind SSRF via feedparser accessing an internal URL. Reported by Subodh Kumar Shree.
The reporter prefered to request the CVE for this one, so waiting to hear back.
- Server Side Request Forgery via event ical URL. Reported by MisakiKata and David Miller. 

CVE-2021-33510
- Server Side Request Forgery via lxml parser. Reported by MisakiKata and David Miller. 

CVE-2021-33511
A hotfix package has been created at https://pypi.org/project/Products.PloneHotfix20210518/ 
The fixes will be incorporated in future release Plone 5.2.5.


--
Maurits van Rees https://maurits.vanrees.org/
Previous By Date Next
Previous By Thread Next

Current thread: