Bug 1040392 (CVE-2013-7062) - CVE-2013-7062 zope: reflexive XSS in Image.py
Summary: CVE-2013-7062 zope: reflexive XSS in Image.py
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2013-7062
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1040397
Blocks: 1040399
TreeView+ depends on / blocked
 
Reported: 2013-12-11 10:59 UTC by Ratul Gupta
Modified: 2021-02-17 07:04 UTC (History)
5 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2015-02-17 14:55:40 UTC
Embargoed:

Attachments (Terms of Use)

Description Ratul Gupta 2013-12-11 10:59:42 UTC 
Zope, an object-oriented web application server, was found to be affected by a reflexive XSS vulnerability that allows arbitrary HTML to be included following an Image tag. This is only possible if Zope image objects have been added to the instance and their path is known. Plone image objects are unaffected.

References:
http://seclists.org/oss-sec/2013/q4/467
https://plone.org/security/20131210/zope-xss-in-OFS

Commit:
https://github.com/zopefoundation/Zope/commit/85d2a5f1e6f46c40d32b832a4dca111074a9484b
Comment 1 Ratul Gupta 2013-12-11 11:05:42 UTC 
Created zope tracking bugs for this issue:

Affects: epel-5 [bug 1040397]
Comment 2 Ratul Gupta 2013-12-13 05:56:03 UTC 
CVE Request:
http://seclists.org/oss-sec/2013/q4/467
Comment 4 Vincent Danen 2015-02-17 14:55:40 UTC 
Statement:

Red Hat Enterprise Linux 5 is now in Production 3 Phase of the support and maintenance life cycle. This has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.
Note You need to log in before you can comment on or make changes to this bug.