CVE-2021-35959

Advisory

Plone.app.content 4.0.0a3 includes fixes for:
-Stored XSS in folder contents.
https://plone.org/security/hotfix/20210518/stored-xss-in-folder-contents
-Stored XSS from user fullname and possibly other places where "getVocabulary" is called. This is an alternative to the "plone.app.users" workaround from the "PloneHotfix20210518" fullname fix.
https://plone.org/security/hotfix/20210518/stored-xss-from-user-fullname
See CVE-2021-35959.

Affected package

Affected versions

Fixed versions

Vulnerability changelog

--------------------

Bug fixes:


- Fixed stored XSS in folder contents.
From the `PloneHotfix20210518 contents fix <https://plone.org/security/hotfix/20210518/stored-xss-in-folder-contents>`_.
[maurits] (3274)
- Fixed stored XSS from user fullname and possibly other places where ``getVocabulary`` is called.
This is an alternative to the ``plone.app.users`` workaround from the `PloneHotfix20210518 fullname fix <https://plone.org/security/hotfix/20210518/stored-xss-from-user-fullname>`_.
It looks like Plone 6 is not vulnerable, but this change makes sure.
[maurits] (3274)

Resources

• https://pypi.org/project/plone.app.content
• https://pyup.io/changelogs/plone.app.content/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35959
• https://plone.org/security/hotfix/20210518/stored-xss-in-folder-contents
• http://www.openwall.com/lists/oss-security/2021/06/30/2