CVE-2008-4571 — Plone Cross-site Scripting vulnerability in the LiveSearch module

Description

Cross-site scripting (XSS) vulnerability in the LiveSearch module in Plone before 3.0.4 allows remote attackers to inject arbitrary web script or HTML via the Description field for search results, as demonstrated using the onerror Javascript even in an IMG tag.

How to fix CVE-2008-4571

To remediate CVE-2008-4571, upgrade the affected package to a fixed version below.

PyPI/plone—upgrade to 3.0.4 or later

Is CVE-2008-4571 being exploited?

Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 3.0.4

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2008-4571
PATCHgithub.com/plone/Plone
WEBdev.plone.org/plone/ticket/7439
WEBplone.org/products/plone/releases/3.0.4
WEBweb.archive.org