Various vulnerabilities in Plone and Zope have been reported and fixed. They affect all supported Plone versions: 5.2 and 6.0. Older Plone versions are likely also affected.
There will be no hotfix package for these: you should update the version pins of individual packages. See this post about why we do less hotfix packages.
plone.rest when the
++api++ traverser is accidentally used multiple times in a url, handling it takes increasingly longer, making the server less responsive.
Security advisory: CVE-2023-42457.
There is a stored cross site scripting vulnerability for SVG images. A security hotfix from 2021 already partially fixed this, by making sure SVG images are always downloaded instead of shown inline. But the same problem still exists for scales of SVG images. And it exists for user portraits, both in Volto and ClassicUI.
Technically, ClassicUI is not vulnerable for the user portrait part, because you cannot upload an SVG as user portrait. But in Volto you can, so you may be able to access a vulnerable url in the backend anyway.
Note that a page that uses an image tag with an SVG image as source is never vulnerable, even when the SVG image contains malicious code. To exploit the vulnerability, an attacker would first need to upload a malicious SVG image, and then trick a user into following a specially crafted link.
Fixes are needed in three packages. We link to the security advisories:
Earlier this month, new Zope releases were made, which included security releases of
RestrictedPython . See the community announcement.
All needed packages will be included in upcoming Plone 5.2.14 and 6.0.7. These will be announced shortly.
If you cannot or do not want to upgrade your entire Plone version, you can upgrade individual package versions.
Fixes are available in these versions:
AccessControl = 4.4, 6.2 RestrictedPython = 5.4, 6.2 plone.namedfile = 5.6.1, 6.0.3, 6.1.3, 6.2.1 plone.rest = 2.0.1, 3.0.1 plone.restapi = 8.43.3 Zope = 4.8.10, 5.8.5
If you are using Buildout, then for the
RestrictedPython versions it is best to update the
[buildout] extends lines to include the following.
So which versions of these packages should you use on which Plone version?
To avoid surprises, you should use the version that is closest to the version you are already using. If you use the default versions, the following should help. This uses the Buildout notation. If you use a pip constraints file, you should use a double equals sign.
AccessControl = 4.4 plone.namedfile = 5.6.1 RestrictedPython = 5.4 Zope = 4.8.10
If you run Plone 5.2 on Python 3, and you are already using
plone.restapi 8, then you can additionally use:
plone.restapi = 8.43.3
AccessControl = 6.2 plone.namedfile = 6.0.3 plone.rest = 2.0.1 plone.restapi = 8.43.3 RestrictedPython = 6.2 Zope = 5.8.5
AccessControl = 6.2 plone.namedfile = 6.0.3 plone.rest = 3.0.1 plone.restapi = 8.43.3 RestrictedPython = 6.2 Zope = 5.8.5
AccessControl = 6.2 plone.namedfile = 6.1.3 plone.rest = 3.0.1 plone.restapi = 8.43.3 RestrictedPython = 6.2 Zope = 5.8.5
If you are having problems with the installation, or see regressions, please make a post in this thread, and anyone can help you.
If you see further security problems, please mail the Plone/Zope Security Team.