Miggo Logo

CVE-2010-1104: Moderate severity vulnerability that affects Zope2

4.3

CVSS Score

Basic Information

EPSS Score
0.62414%
Published
7/23/2018
Updated
1/9/2023
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
AV:N/AC:M/Au:N/C:N/I:P/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
Zope2pip>= 2.8.0, < 2.8.122.8.12
Zope2pip>= 2.9.0, < 2.9.122.9.12
Zope2pip>= 2.10.0, < 2.10.112.10.11
Zope2pip>= 2.11.0, < 2.11.62.11.6
Zope2pip>= 2.12.0, < 2.12.32.12.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The Zope announcement explicitly references a broken 'standard_error_message' template as the attack vector. This template handles error display and would be responsible for proper output encoding. The vulnerability manifests when: 1) This template is in a broken/insecure state, and 2) Error messages contain raw HTML markup in their string representation. The combination allows unescaped HTML/script injection into error pages. While exact code isn't available, the template name and error message handling are directly identified in primary sources as the vulnerability location.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ross-sit* s*riptin* (XSS) vuln*r**ility in Zop* *.*.x ***or* *.*.**, *.*.x ***or* *.*.**, *.**.x ***or* *.**.**, *.**.x ***or* *.**.*, *n* *.**.x ***or* *.**.* *llows r*mot* *tt**k*rs to inj**t *r*itr*ry w** s*ript or *TML vi* v**tors r*l*t** to *rr

Reasoning

T** Zop* *nnoun**m*nt *xpli*itly r***r*n**s * *rok*n 'st*n**r*_*rror_m*ss***' t*mpl*t* *s t** *tt**k v**tor. T*is t*mpl*t* **n*l*s *rror *ispl*y *n* woul* ** r*sponsi*l* *or prop*r output *n*o*in*. T** vuln*r**ility m*ni**sts w**n: *) T*is t*mpl*t* i