CVE-2021-35959
Description
In Plone 5.0 through 5.2.4, Editors are vulnerable to XSS in the folder contents view, if a Contributor has created a folder with a SCRIPT tag in the description field.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In Plone 5.0 through 5.2.4, a Contributor can create a folder with a SCRIPT tag in the description field, which then executes as stored XSS when an Editor views the folder contents.
Vulnerability
In Plone versions 5.0.0 through 5.2.4, the folder contents view does not sanitize the description field of folders, allowing a Contributor to inject arbitrary HTML or JavaScript. An Editor viewing the folder contents will trigger the stored XSS because the description is rendered without proper escaping [1][3].
Exploitation
An attacker with the Contributor role creates a folder and sets its description to include a malicious SCRIPT tag. When an Editor navigates to the folder contents view, the script executes in the context of the Editor's session. No additional user interaction beyond viewing the folder contents is required [1][3].
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the Editor's browser. This can lead to session hijacking, defacement, or theft of sensitive information within the Plone site. The attack is limited to the privilege level of the targeted Editor, who typically has broader permissions than a Contributor [1][3].
Mitigation
A fix is included in the hotfix package Products.PloneHotfix20210518 version 1.5, available from PyPI and the Plone security advisory page. The affected package plone.app.content is fixed in version 3.8.8, which will be included in Plone 5.2.5 (expected July 2021). Users should upgrade to the patched version or apply the hotfix [3].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
PlonePyPI | >= 5.0, <= 5.2.4 | — |
Affected products
2- Plone/Plonedescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-qfhw-fv3g-v836ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-35959ghsaADVISORY
- www.openwall.com/lists/oss-security/2021/06/30/2ghsamailing-listx_refsource_MLISTWEB
- github.com/pypa/advisory-database/tree/main/vulns/plone/PYSEC-2021-110.yamlghsaWEB
- plone.org/security/hotfix/20210518/stored-xss-in-folder-contentsghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.