CVE-2023-42458 Information

Description

Zope is an open-source web application server. Prior to versions 4.8.10 and 5.8.5 there is a stored cross site scripting vulnerability for SVG images. Note that an image tag with an SVG image as source is never vulnerable even when the SVG image contains malicious code. To exploit the vulnerability an attacker would first need to upload an image and then trick a user into following a specially crafted link. Patches are available in Zope 4.8.10 and 5.8.5. As a workaround make sure the \Add Documents Images and Files\ permission is only assigned to trusted roles. By default only the Manager has this permission.

Reference

https://github.com/zopefoundation/Zope/security/advisories/GHSA-wm8q-9975-xh5v https://github.com/zopefoundation/Zope/commit/603b0a12881c90a072a7a65e32d47ed898ce37cb https://github.com/zopefoundation/Zope/commit/26a55dbc301db417f47cafda6fe0f983b5690088