Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Zope vulnerable to Stored Cross Site Scripting with SVG images
Vulnerability Description
Zope is an open-source web application server. Prior to versions 4.8.10 and 5.8.5, there is a stored cross site scripting vulnerability for SVG images. Note that an image tag with an SVG image as source is never vulnerable, even when the SVG image contains malicious code. To exploit the vulnerability, an attacker would first need to upload an image, and then trick a user into following a specially crafted link. Patches are available in Zope 4.8.10 and 5.8.5. As a workaround, make sure the "Add Documents, Images, and Files" permission is only assigned to trusted roles. By default, only the Manager has this permission.
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N
Vulnerability Type
Web页面中脚本相关HTML标签转义处理不恰当(基本跨站脚本)
Vulnerability Title
Zope 安全漏洞
Vulnerability Description
Zope是Zope社区的一套使用Python语言编写的、面向对象的开源Web应用服务器。 Zope存在安全漏洞,该漏洞源于SVG图像存在存储型跨站脚本漏洞(XSS)漏洞。攻击者可利用该漏洞通过上传图像,诱骗用户访问特制的链接从而执行恶意代码。受影响的产品和版本:Zope 4.8.9及之前版本,5.8.4及之前版本。
CVSS Information
N/A
Vulnerability Type
N/A