3.7

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-hc5c-r8m5-2gfh

GHSA-hc5c-r8m5-2gfh: plone.restapi vulnerable to Stored Cross Site Scripting with SVG image in user portrait

Impact

There is a stored cross site scripting vulnerability for SVG images uploaded in user portraits.

Note that a page that uses an image tag with an SVG image as source is never vulnerable, even when the SVG image contains malicious code. To exploit the vulnerability, an attacker would first need to upload an SVG image as user portrait, and then trick a user into following a link to this portrait.

Patches

A patch will be released in plone.restapi 8.43.3. This version is good for Plone 6.0, and for Plone 5.2 on Python 3.

In plone.restapi 7 or earlier there was no @portrait endpoint yet, so there is nothing to fix in that version. It is still vulnerable to this attack, and needs a fix in Zope 4. These two vulnerabilities share the same CVE: CVE-2023-42458.

Workarounds

You could remove the portrait field from the member data schema, and possibly remove all portraits that are already in the database, but this seems a bit drastic.

(GitHub Advisory)

Miggo Vulnerability Database

→

GHSA-hc5c-r8m5-2gfh

GHSA-hc5c-r8m5-2gfh:

3.7

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
plone.restapi	pip	>= 8.0.0, < 8.43.3	8.43.3

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from how user portraits (including SVGs) were served. The commit diff shows the patched version added Content-Disposition headers and MIME type checks to force downloads for SVG files. The unpatched PortraitGet.render() method would serve SVGs with 'inline' disposition, allowing XSS when the SVG is directly viewed in a browser. The presence of SVG-specific security logic in the patch directly correlates to the vulnerability description about unsafe inline rendering of user-uploaded SVGs.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

3.7

-

Basic Information

Basic Information

Concerned about an active attack path?

GHSA-hc5c-r8m5-2gfh: plone.restapi vulnerable to Stored Cross Site Scripting with SVG image in user portrait

Impact

Patches

Workarounds

GHSA-hc5c-r8m5-2gfh:

3.7

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

GHSA-hc5c-r8m5-2gfh: plone.restapi vulnerable to Stored Cross Site Scripting with SVG image in user portrait

Impact

Patches

Workarounds

3.7

3.7

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Technical Details

Basic Information

Basic Information

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI