New PFG Releases fix XSS Vulnerability

Just released: versions 1.7.19 and 1.8.1 of Products.PloneFormGen.

These releases fix an XSS vulnerability that could allow a user with the rights to add or edit PFG forms to elevate permissions via an XSS attack on a more privileged user. This vulnerability is only a problem if you allow untrusted users to add or edit PFG forms. It is not exploitable by users filling in PFG forms.

Version 1.7.19 is intended for use with Plone 4.1, 4.2 and 4.3.

Version 1.8.1 is intended for use with Plone 5.0.x.

1 Like

I believe this should read:
Version 1.7.19 is intended for use with Plone 4.1, 4.2 and 4.3.

thanks for catching that, @ezvirtual - I've made the edit (@smcmahon)