See also CMFPlone security advisory on GitHub.
Plone is vulnerable to reflected cross site scripting and open redirect when an attacker can get a compromised version of the image_view_fullscreen page in a cache, for example in Varnish.
The technique is known as cache poisoning.
Any later visitor can get redirected when clicking on a link on this page.
Usually only anonymous users are affected, but this depends on your cache settings.
All Plone versions are vulnerable, at least Plone 4.3 and higher (we did not check older versions). It depends on your Plone version and the Image content type which package is vulnerable:
The Plone Security Team has released fixes for Plone 5.2:
plone.app.contenttypes2.2.3 (see advisory)
Products.ATContentTypes3.0.6 (see advisory. If you are on Python 3 you will not be using this package.
and for Plone 6:
plone.app.contenttypes3.0.0a9 (see advisory)
For all affected Plone versions, with or without a fixed package, the following workaround is available:
Make sure the image_view_fullscreen page is not stored in the cache. In Plone:
- Login as Manager and go to Site Setup.
- Go to the 'Caching' control panel. If this does not exist, or 'Enable caching' is not checked, you should normally not be vulnerable.
- Click on the tab 'Caching operations'.
- Under 'Legacy template mappings' locate the ruleset 'Content item view'.
- From the last column ('Templates') remove 'image_view_fullscreen'.
- Click on Save.
This vulnerability was responsibly disclosed to the Plone Security Team by Gustav Hansen, F-Secure Consulting. Thank you!
If you have any questions or comments about this advisory, email us at firstname.lastname@example.org
This is also the correct address to use when you want to report a possible vulnerability.
See our security report policy.
To answer one question already: why not a hotfix package?
Since the fix is in a Page Template, and not in Python code, our usual way of fixing this in a special hotfix package was not viable.