Common Vulnerabilities and Exposures assigned an identifier CVE-2010-1104 to the following vulnerability: Name: CVE-2010-1104 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1104 Assigned: 20100325 Reference: MLIST:[zope-announce] 20100112 New Zope2 releases available Reference: URL: https://mail.zope.org/pipermail/zope-announce/2010-January/002229.html Reference: BID:37765 Reference: URL: http://www.securityfocus.com/bid/37765 Reference: OSVDB:61655 Reference: URL: http://www.osvdb.org/61655 Reference: SECUNIA:38007 Reference: URL: http://secunia.com/advisories/38007 Reference: VUPEN:ADV-2010-0104 Reference: URL: http://www.vupen.com/english/advisories/2010/0104 Reference: XF:zope-standarderrormessage-xss(55599) Reference: URL: http://xforce.iss.net/xforce/xfdb/55599 Cross-site scripting (XSS) vulnerability in Zope 2.8.x before 2.8.12, 2.9.x before 2.9.12, 2.10.x before 2.10.11, 2.11.x before 2.11.6, and 2.12.x before 2.12.3 allows remote attackers to inject arbitrary web script or HTML via vectors related to error messages. A patch to correct this is available here: http://launchpadlibrarian.net/37708066/patch-491224.txt The SimpleItem.py file can be found in the luci rpm package, built from conga, on Red Hat Enterprise Linux 5.
I should have also noted the upstream bug report: https://bugs.launchpad.net/zope2/+bug/491224
We also have Zope in EPEL5 (2.10.9) which would be vulnerable to this issue and should receive an update for it.
Statement: (none)
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2012:0151 https://rhn.redhat.com/errata/RHSA-2012-0151.html