Vigil@nce: Zope 2, Cross Site Scripting
January 2010 by Vigil@nce
An attacker can generate a Cross Site Scripting in the error
template of Zope version 2.
– Severity: 2/4
– Consequences: client access/rights
– Provenance: document
– Means of attack: no proof of concept, no attack
– Ability of attacker: expert (4/4)
– Confidence: confirmed by the editor (5/5)
– Diffusion of the vulnerable configuration: high (3/3)
– Creation date: 13/01/2010
IMPACTED PRODUCTS
– Zope
DESCRIPTION OF THE VULNERABILITY
The "standard_error_message" template of Zope 2 is used to display
errors.
However, this template does not correctly filter error messages,
before inserting them in the generated document.
An attacker can therefore generate a Cross Site Scripting in the
error template of Zope version 2.
CHARACTERISTICS
– Identifiers: BID-37765, VIGILANCE-VUL-9343
– Url: http://vigilance.fr/vulnerability/Zope-2-Cross-Site-Scripting-9343