QwikSec

Security Database

CVE

CWE

Training

CVE-2023-42458

Published: Sep 21, 2023

Modified: Feb 13, 2025

PUBLISHED

CVSS v3.1

3.7

LOW

Description

Zope is an open-source web application server. Prior to versions 4.8.10 and 5.8.5, there is a stored cross site scripting vulnerability for SVG images. Note that an image tag with an SVG image as source is never vulnerable, even when the SVG image contains malicious code. To exploit the vulnerability, an attacker would first need to upload an image, and then trick a user into following a specially crafted link. Patches are available in Zope 4.8.10 and 5.8.5. As a workaround, make sure the "Add Documents, Images, and Files" permission is only assigned to trusted roles. By default, only the Manager has this permission.

Vendor	Product	Versions
zopefoundation	Zope	affected `< 4.8.10` affected `>= 5.0.0, < 5.8.5`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

Required

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

None

References

https://github.com/zopefoundation/Zope/security/advisories/GHSA-wm8q-9975-xh5v

x_refsource_CONFIRM

https://github.com/zopefoundation/Zope/commit/26a55dbc301db417f47cafda6fe0f983b5690088

x_refsource_MISC

https://github.com/zopefoundation/Zope/commit/603b0a12881c90a072a7a65e32d47ed898ce37cb

x_refsource_MISC

http://www.openwall.com/lists/oss-security/2023/09/22/2

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.