CVE-2022-23599

Products.ATContentTypes are the core content types for Plone 2.1 - 4.3. Versions of Plone that are dependent on Products.ATContentTypes prior to version 3.0.6 are vulnerable to reflected cross site scripting and open redirect when an attacker can get a compromised version of the image_view_fullscreen page in a cache, for example in Varnish. The technique is known as cache poisoning. Any later visitor can get redirected when clicking on a link on this page. Usually only anonymous users are affected, but this depends on the user's cache settings. Version 3.0.6 of Products.ATContentTypes has been released with a fix. This version works on Plone 5.2, Python 2 only. As a workaround, make sure the image_view_fullscreen page is not stored in the cache. More information about the vulnerability and cvmitigation measures is available in the GitHub Security Advisory.

CVSS v3 6.1 MEDIUM
CVSS v2.0 2.6 LOW

6.1^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

2.6^/10

CVSS v2.0 : LOW

Vector : AV:N/AC:H/Au:N/C:N/I:P/A:N

Exploitability : 4.9 / Impact : 2.9

Access Vector NETWORK

Access Complexity HIGH

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
https://github.com/plone/Products.ATContentTypes/commit/fc793f88f35a15a68b52e4abed77af0da5fdbab8	Patch Third Party Advisory
https://github.com/plone/Products.ATContentTypes/security/advisories/GHSA-g4c2-ghfg-g5rh	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:plone:plone:*:*:*:*:*:*:*:*

History

27 Jun 2023, 19:02

Type	Values Removed	Values Added
CWE		CWE-601

Information

Published : 2022-01-28 22:15

Updated : 2024-02-28 18:48

NVD link : CVE-2022-23599

Mitre link : CVE-2022-23599

CVE.ORG link : CVE-2022-23599

JSON object : View

Products Affected

plone

plone

CWE

CWE-601

URL Redirection to Untrusted Site ('Open Redirect')

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2022-23599", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 2.6, "accessVector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "HIGH", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 4.9, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 2.8}]}, "published": "2022-01-28T22:15:17.023", "references": [{"url": "https://github.com/plone/Products.ATContentTypes/commit/fc793f88f35a15a68b52e4abed77af0da5fdbab8", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/plone/Products.ATContentTypes/security/advisories/GHSA-g4c2-ghfg-g5rh", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-601"}, {"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Products.ATContentTypes are the core content types for Plone 2.1 - 4.3. Versions of Plone that are dependent on Products.ATContentTypes prior to version 3.0.6 are vulnerable to reflected cross site scripting and open redirect when an attacker can get a compromised version of the image_view_fullscreen page in a cache, for example in Varnish. The technique is known as cache poisoning. Any later visitor can get redirected when clicking on a link on this page. Usually only anonymous users are affected, but this depends on the user's cache settings. Version 3.0.6 of Products.ATContentTypes has been released with a fix. This version works on Plone 5.2, Python 2 only. As a workaround, make sure the image_view_fullscreen page is not stored in the cache. More information about the vulnerability and cvmitigation measures is available in the GitHub Security Advisory."}, {"lang": "es", "value": "Products.ATContentTypes son los tipos de contenido principales para Plone versiones 2.1 - 4.3. Las versiones de Plone que dependen de Products.ATContentTypes anteriores a 3.0.6, son vulnerables a un ataque de tipo cross site scripting reflejado y a un redireccionamiento abierto cuando un atacante puede conseguir una versi\u00f3n comprometida de la p\u00e1gina image_view_fullscreen en una cach\u00e9, por ejemplo en Varnish. La t\u00e9cnica es conocida como envenenamiento de la cach\u00e9. Cualquier visitante posterior puede ser redirigido cuando haga clic en un enlace de esta p\u00e1gina. Normalmente s\u00f3lo est\u00e1n afectados los usuarios an\u00f3nimos, pero esto depende de la configuraci\u00f3n de la cach\u00e9 del usuario. Ha sido publicada la versi\u00f3n 3.0.6 de Products.ATContentTypes con una correcci\u00f3n. Esta versi\u00f3n funciona s\u00f3lo en Plone versi\u00f3n 5.2, Python 2. Como soluci\u00f3n, aseg\u00farese de que la p\u00e1gina image_view_fullscreen no es almacenada en la cach\u00e9. M\u00e1s informaci\u00f3n sobre la vulnerabilidad y medidas de mitigaci\u00f3n est\u00e1n disponibles en el GitHub Security Advisory"}], "lastModified": "2023-06-27T19:02:23.397", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:plone:plone:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "085289BA-3499-4F4E-98F8-B92B89C5D7DF", "versionEndExcluding": "3.0.6"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}