CVE-2021-33508

Vulnerability

Plone versions 4.3.20 and earlier 4.3.x versions, and 5.2.4 and earlier 5.x versions, are vulnerable to a stored cross-site scripting (XSS) attack due to improper handling of user full names during the rendering of the ownership tab of a content item [1][3]. The full name field, which can be set by a user with sufficient privileges, is not sanitized before being displayed, allowing arbitrary HTML and JavaScript to be injected [1].

Exploitation

An attacker with the ability to edit their own user profile (or another user's profile, depending on site permissions) can set a crafted full name containing malicious JavaScript [1]. When any user visits the ownership tab of a content item owned by that user (or authored by that user, as the ownership tab may show the owner of the content), the injected script executes in the context of the viewer's browser [1]. No user interaction beyond viewing the ownership tab is required, and the attacker does not need special network access beyond normal application access [1].

Impact

Successful exploitation leads to stored cross-site scripting (XSS), enabling the attacker to execute arbitrary JavaScript in the browser of any user who views the ownership tab of an affected content item [1]. This can result in information disclosure (e.g., session hijacking, cookie theft), unauthorized actions performed on behalf of the victim, or defacement of the web application, all within the security context of the victim's session [1].

Mitigation

The vulnerability has been addressed in the Plone security hotfix released on May 18, 2021, which is applicable to all supported versions (4.3.20 and earlier 4.3.x, 5.2.4 and earlier 5.x) [3]. Users are advised to apply the hotfix or upgrade to a patched version as soon as possible [1][3]. No workaround is available other than applying the patch [3].