Bug 1040392 (CVE-2013-7062)

Summary: CVE-2013-7062 zope: reflexive XSS in Image.py
Product: [Other] Security Response Reporter: Ratul Gupta <ratulg>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: cluster-maint, extras-orphan, jkurik, jrusnack, rmccabe
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-02-17 14:55:40 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1040397    
Bug Blocks: 1040399    

Description Ratul Gupta 2013-12-11 10:59:42 UTC 
Zope, an object-oriented web application server, was found to be affected by a reflexive XSS vulnerability that allows arbitrary HTML to be included following an Image tag. This is only possible if Zope image objects have been added to the instance and their path is known. Plone image objects are unaffected.

References:
http://seclists.org/oss-sec/2013/q4/467
https://plone.org/security/20131210/zope-xss-in-OFS

Commit:
https://github.com/zopefoundation/Zope/commit/85d2a5f1e6f46c40d32b832a4dca111074a9484b
Comment 1 Ratul Gupta 2013-12-11 11:05:42 UTC 
Created zope tracking bugs for this issue:

Affects: epel-5 [bug 1040397]
Comment 2 Ratul Gupta 2013-12-13 05:56:03 UTC 
CVE Request:
http://seclists.org/oss-sec/2013/q4/467
Comment 4 Vincent Danen 2015-02-17 14:55:40 UTC 
Statement:

Red Hat Enterprise Linux 5 is now in Production 3 Phase of the support and maintenance life cycle. This has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.