CVE-2011-1340 — Plone XSS Vulnerability

Description

Cross-site scripting (XSS) vulnerability in `skins/plone_templates/default_error_message.pt` in Plone before 2.5.3 allows remote attackers to inject arbitrary web script or HTML via the type_name parameter to `Members/ipa/createObject`.

How to fix CVE-2011-1340

To remediate CVE-2011-1340, upgrade the affected package to a fixed version below.

PyPI/plone—upgrade to 2.5.3 or later

Is CVE-2011-1340 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 2.5.3

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2011-1340
WEBjvndb.jvn.jp/jvndb/JVNDB-2011-000056
WEBjvn.jp/en/jp/JVN41222793/index.html
WEBweb.archive.org/web/20110816092954/http://dev.plone.org/plone/changeset/12262