CVE-2021-29002

Vulnerability

Overview

CVE-2021-29002 is a stored cross-site scripting (XSS) vulnerability in Plone CMS version 5.2.3. The flaw resides in the site-controlpanel, specifically in the form.widgets.site_title parameter. An attacker with manager-level access can inject malicious scripts into the site title field, which are then stored and executed in the browsers of other users who view the affected page [1][2][4].

Exploitation

Details

To exploit this vulnerability, an attacker must first authenticate as a Manager. They then navigate to Manager → Site Setup → Site and edit the "Site title" field, inserting a payload such as ``. The injected script is stored and rendered without proper sanitization, leading to persistent XSS [4]. No additional privileges or network position beyond manager access are required.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of any user visiting the affected site. This can lead to cookie theft, session hijacking, password theft, or further arbitrary actions on the victim's browser. The stored nature of the XSS means the attack can affect multiple users over time without repeated interaction [2][4].

Mitigation

Plone has addressed this issue in subsequent releases; users are strongly advised to upgrade to a patched version of Plone CMS. As of the publication date, no workaround is documented, and the vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog. Administrators should review the official Plone security advisories for the latest updates [1][2].