Various vulnerabilities in Plone and Zope have been reported and fixed. They affect all supported Plone versions: 5.2 and 6.0. Older Plone versions are likely also affected.
There will be no hotfix package for these: you should update the version pins of individual packages. See this post about why we do less hotfix packages.
Denial of service
In plone.rest when the ++api++ traverser is accidentally used multiple times in a url, handling it takes increasingly longer, making the server less responsive.
Security advisory: CVE-2023-42457.
Stored XSS
There is a stored cross site scripting vulnerability for SVG images. A security hotfix from 2021 already partially fixed this, by making sure SVG images are always downloaded instead of shown inline. But the same problem still exists for scales of SVG images. And it exists for user portraits, both in Volto and ClassicUI.
Technically, ClassicUI is not vulnerable for the user portrait part, because you cannot upload an SVG as user portrait. But in Volto you can, so you may be able to access a vulnerable url in the backend anyway.
Note that a page that uses an image tag with an SVG image as source is never vulnerable, even when the SVG image contains malicious code. To exploit the vulnerability, an attacker would first need to upload a malicious SVG image, and then trick a user into following a specially crafted link.
Fixes are needed in three packages. We link to the security advisories:
plone.namedfileCVE-2023-41048ZopeCVE-2023-42458plone.restapialso CVE-2023-42458
Information disclosure and sandbox escape
Earlier this month, new Zope releases were made, which included security releases of AccessControl and RestrictedPython . See the community announcement.
Fixed Plone versions
All needed packages will be included in upcoming Plone 5.2.14 and 6.0.7. These will be announced shortly.
Package versions
If you cannot or do not want to upgrade your entire Plone version, you can upgrade individual package versions.
Fixes are available in these versions:
AccessControl = 4.4, 6.2
RestrictedPython = 5.4, 6.2
plone.namedfile = 5.6.1, 6.0.3, 6.1.3, 6.2.1
plone.rest = 2.0.1, 3.0.1
plone.restapi = 8.43.3
Zope = 4.8.10, 5.8.5
If you are using Buildout, then for the Zope, AccessControl and RestrictedPython versions it is best to update the [buildout] extends lines to include the following.
For Plone 5.2: https://zopefoundation.github.io/Zope/releases/4.8.10/versions.cfg
For Plone 6: https://zopefoundation.github.io/Zope/releases/5.8.5/versions.cfg
So which versions of these packages should you use on which Plone version?
To avoid surprises, you should use the version that is closest to the version you are already using. If you use the default versions, the following should help. This uses the Buildout notation. If you use a pip constraints file, you should use a double equals sign.
Plone 5.2
AccessControl = 4.4
plone.namedfile = 5.6.1
RestrictedPython = 5.4
Zope = 4.8.10
If you run Plone 5.2 on Python 3, and you are already using plone.restapi 8, then you can additionally use:
plone.restapi = 8.43.3
Plone 6.0.0/6.0.1
AccessControl = 6.2
plone.namedfile = 6.0.3
plone.rest = 2.0.1
plone.restapi = 8.43.3
RestrictedPython = 6.2
Zope = 5.8.5
Plone 6.0.2 - 6.0.4
AccessControl = 6.2
plone.namedfile = 6.0.3
plone.rest = 3.0.1
plone.restapi = 8.43.3
RestrictedPython = 6.2
Zope = 5.8.5
Plone 6.0.5/6.0.6
AccessControl = 6.2
plone.namedfile = 6.1.3
plone.rest = 3.0.1
plone.restapi = 8.43.3
RestrictedPython = 6.2
Zope = 5.8.5
If you are having problems with the installation, or see regressions, please make a post in this thread, and anyone can help you.
If you see further security problems, please mail the Plone/Zope Security Team.