It was found that z3c.form currently accepts data from GET requests when the form is supposed to be POST. This allows a user to inject a potential XSS attack into a form. With certain widgets in Plone admin forms, the input is expected to be safe and can cause a reflected XSS attack. Additionally, there is potential for an attack that will trick a user into saving a persistent XSS. CVE assignment: http://seclists.org/oss-sec/2016/q3/417 External References: https://plone.org/security/hotfix/20160830/non-persistent-xss-in-plone-forms
Created plone tracking bugs for this issue: Affects: epel-5 [bug 1373467]