Safety vulnerability ID: 61343
The information on this page was manually curated by our Cybersecurity Intelligence Team.
Zope 4.8.10 and 5.8.5 include a fix for CVE-2023-42458: Stored Cross Site Scripting with SVG images.
https://github.com/zopefoundation/Zope/security/advisories/GHSA-wm8q-9975-xh5v
Latest version: 5.11.1
Zope application server / web framework
------------------
- Allow only some image types to be displayed inline. Force download for
others, especially SVG images. By default we use a list of allowed types.
You can switch a to a list of denied types by setting OS environment variable
``OFS_IMAGE_USE_DENYLIST=1``. You can override the allowed list with
environment variable ``ALLOWED_INLINE_MIMETYPES`` and the disallowed list
with ``DISALLOWED_INLINE_MIMETYPES``. Separate multiple entries by either
comma or space. This change only affects direct URL access.
``<img src="image.svg" />`` works the same as before. (CVE-2023-42458)
See `security advisory <https://github.com/zopefoundation/Zope/security/advisories/GHSA-wm8q-9975-xh5v>`_.
- Tighten down the ZMI frame source logic to only allow site-local sources.
Problem reported by Miguel Segovia Gil.
- Added image dimensions to SVG file properties
`1146 <https://github.com/zopefoundation/Zope/pull/1146>`_.
- Fix username not in access log for error requests, see issue
`1155 <https://github.com/zopefoundation/Zope/issues/1155>`_.
- Update to newest compatible versions of dependencies.
- Add preliminary support for Python 3.12rc3.
Scan your Python project for dependency vulnerabilities in two minutes
Scan your application