CVE-2023-44389: Zope management interface vulnerable to stored cross site scripting via the title property

3.1 CVSS

Description

Zope is an open-source web application server. The title property, available on most Zope objects, can be used to store script code that is executed while viewing the affected object in the Zope Management Interface (ZMI). All versions of Zope 4 and Zope 5 are affected. Patches will be released with Zope versions 4.8.11 and 5.8.6.

Classification

CVE ID: CVE-2023-44389

CVSS Base Severity: LOW

CVSS Base Score: 3.1

Affected Products

Vendor: zopefoundation

Product: Zope

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.06% (probability of being exploited)

EPSS Percentile: 30.59% (scored less or equal to compared to others)

EPSS Date: 2025-02-03 (when was this score calculated)

References

https://github.com/zopefoundation/Zope/security/advisories/GHSA-m755-gxxg-r5qh
https://github.com/zopefoundation/Zope/commit/21dfa78609ffd8b6bd8143805678ebbacae5141a
https://github.com/zopefoundation/Zope/commit/aeaf2cdc80dff60815e3706af448f086ddc3b98d

Timeline

2024-11-28 00:11:40 UTC
CVE

Zope management interface vulnerable to stored cross site scripting via the title property