On behalf of the Plone Security Team I make two vulnerability announcements. Here are the links to the announcements on GitHub:
- Stored XSS by spoofing mime type · Advisory · plone/plone.app.textfield · GitHub
- Stored XSS by spoofing mime type · Advisory · plone/plone.restapi · GitHub
They are two sides of the same vulnerability, so I will combine the two into one post here on community.plone.org. A CVE has been requested, but not assigned yet. Once that is done, I will use the same CVE for both.
The vulnerability was discovered by @gyst, who reported it to security@plone.org and provided fixes and tests. Thanks!
Impact
A stored XSS affecting RichText fields. RichTextValue.output returns the raw, unsanitized stored value whenever the stored mimeType equals the outputMimeType. Because the safe-HTML output type (text/x-html-safe) is the type that signifies "already sanitized", any value whose stored mimeType equals it bypasses the safe_html transform entirely on render. The transform itself is sound — it correctly strips on* event-handler attributes and javascript:/data: URIs; the defect is that it is never invoked for these values. The unsanitized value is then emitted via tal:content="structure ...", which performs no escaping, so the payload executes in the viewer's browser.
This can be a problem when a RichText field is wrongly defined in code with a mimeType and outputMimeType that are the same, or when the REST API is used to the same effect.
Note: these rich text fields are only used in Classic UI, so Volto is not affected.
Patches
The problem has been patched for all supported Plone versions:
- For Plone 6.0, upgrade
plone.app.textfieldto 2.0.2 andplone.restapito 9.15.6. - For Plone 6.1, upgrade
plone.app.textfieldto 3.0.2 andplone.restapito 9.15.6. - For Plone 6.2, upgrade
plone.app.textfieldto 4.0.1 andplone.restapito 10.0.1.
The plone.restapi fix will prevent abusing the REST API to store wrong rich text values.
If wrong rich text values have already been stored in your site, either because of the REST API vulnerability or because of a wrongly define RichText field, the plone.app.textfield fix will prevent XSS.
Workarounds
There is no known workaround.