Security patch has been released: 20170117

#Hotfix to patch XSS and sandbox escape vulnerability
This is a routine patch with our standard 14 day notice period. There is no evidence that the issues fixed here are being used against any sites.

CVE numbers: CVE-2016-7147 and one not yet issued.

Versions Affected: All supported Plone versions (4.3.11 and any earlier 4.x version, 5.0.6 and any earlier 5.x version). Previous versions could be affected but have not been fully tested.

Versions Not Affected: None.

Nature of vulnerability: the patch will address a reflected XSS vulnerability in Zope and a partial sandbox escape vulnerability available to system administrators.

Version support: The hotfix is officially supported by the Plone security team on the following versions of Plone in accordance with the Plone version support policy: 4.0.10, 4.1.6, 4.2.7, 4.3.11 and 5.0.6. However, it has also received some testing on older versions of Plone.

The fixes included here will be incorporated into subsequent releases of Plone, so Plone 4.3.12, 5.0.7 and greater should not require this hotfix.

Credit: Thanks to Tim Coen of Curesec GmbH for the responsible disclosure of the XSS vulnerability. The partial sandbox escape was found by the Plone security team, inspired by Armin Ronacher's writings on the subject.

The patch was released at 2017-01-17 15:00 UTC.

#See the full announcement at https://plone.org/security/announcements/security-patch-released-20170117

1 Like

Plone Foundation Code of Conduct