CVE-2011-1340

Cross-site scripting (XSS) vulnerability in skins/plone_templates/default_error_message.pt in Plone before 2.5.3 allows remote attackers to inject arbitrary web script or HTML via the type_name parameter to Members/ipa/createObject.

Published Byvultures@jpcert.or.jp

Published DateAug 05, 2011, 21:55

Affected Versions(1)

plone(PyPI)

Introduced0

Fixed2.5.3

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
plone(PyPI)	0	2.5.3	N/A

Weakness Type (CWE):CWE-79

CVSS Metrics

Base Score

4.3

Vector String

AV:N/AC:M/Au:N/C:N/I:P/A:N

Base Severity

Version

2.0

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

NONE

Integrity (I)

PARTIAL

Availability (A)

NONE

References

http://dev.plone.org/plone/changeset/12262
http://dev.plone.org/plone/ticket/6110
http://jvn.jp/en/jp/JVN41222793/index.html
http://jvndb.jvn.jp/jvndb/JVNDB-2011-000056

Weakness Type (CWE):CWE-79

CVSS Metrics

Base Score

4.3

Vector String

AV:N/AC:M/Au:N/C:N/I:P/A:N

Base Severity

Version

2.0

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

NONE

Integrity (I)

PARTIAL

Availability (A)

NONE