Red Hat Bugzilla – Bug 577019
CVE-2010-1104 zope: XSS on error page
Last modified: 2016-03-04 06:29:38 EST
Common Vulnerabilities and Exposures assigned an identifier CVE-2010-1104 to
the following vulnerability:
Reference: MLIST:[zope-announce] 20100112 New Zope2 releases available
Reference: URL: http://www.securityfocus.com/bid/37765
Reference: URL: http://www.osvdb.org/61655
Reference: URL: http://secunia.com/advisories/38007
Reference: URL: http://www.vupen.com/english/advisories/2010/0104
Reference: URL: http://xforce.iss.net/xforce/xfdb/55599
Cross-site scripting (XSS) vulnerability in Zope 2.8.x before 2.8.12,
2.9.x before 2.9.12, 2.10.x before 2.10.11, 2.11.x before 2.11.6, and
2.12.x before 2.12.3 allows remote attackers to inject arbitrary web
script or HTML via vectors related to error messages.
A patch to correct this is available here:
The SimpleItem.py file can be found in the luci rpm package, built from conga, on Red Hat Enterprise Linux 5.
I should have also noted the upstream bug report:
We also have Zope in EPEL5 (2.10.9) which would be vulnerable to this issue and should receive an update for it.
This issue has been addressed in following products:
Red Hat Enterprise Linux 5
Via RHSA-2012:0151 https://rhn.redhat.com/errata/RHSA-2012-0151.html