CVE-2021-33512

Vulnerability

Plone versions 4.3.20 and earlier 4.3.x versions, and 5.2.4 and earlier 5.x versions, are affected by a stored cross-site scripting (XSS) vulnerability. A user with the Contributor role can upload an SVG or HTML document containing malicious script code. The uploaded file is stored on the server and served to other users without proper sanitization, leading to script execution in the victim's browser [1][2].

Exploitation

An attacker must have a Contributor account on the Plone site. They can upload a crafted SVG or HTML document via the normal file upload functionality. When other users (including those with higher privileges) view or download the uploaded file, the embedded script executes in their browser within the Plone site's origin [1][3]. No additional user interaction beyond visiting the page is required.

Impact

Successful exploitation allows arbitrary JavaScript execution in the context of the victim's session, potentially leading to data theft, session hijacking, defacement, or actions performed on behalf of the victim. The impact is limited to the browser and the Plone site's privileges, but can be leveraged for further attacks [1][2].

Mitigation

Plone released a security hotfix on May 18, 2021 [2]. Users should apply the hotfix immediately or upgrade to a patched version. No workaround is available other than restricting file uploads to trusted users. The vulnerability is not listed in CISA's known exploited vulnerabilities catalog at the time of publication [3].