Lookup for vulnerable packages by Package URL.
| Purl | pkg:pypi/products-atcontenttypes@2.1.19 |
|---|
| Type | pypi |
|---|
| Namespace | |
|---|
| Name | products-atcontenttypes |
|---|
| Version | 2.1.19 |
|---|
| Qualifiers |
|
|---|
| Subpath | |
|---|
| Is_vulnerable | true |
|---|
| Next_non_vulnerable_version | 3.0.6 |
|---|
| Latest_non_vulnerable_version | 3.0.6 |
|---|
| Affected_by_vulnerabilities |
| 0 |
| url |
VCID-phf3-f5cb-xkfs |
| vulnerability_id |
VCID-phf3-f5cb-xkfs |
| summary |
Products.ATContentTypes are the core content types for Plone 2.1 - 4.3. Versions of Plone that are dependent on Products.ATContentTypes prior to version 3.0.6 are vulnerable to reflected cross site scripting and open redirect when an attacker can get a compromised version of the image_view_fullscreen page in a cache, for example in Varnish. The technique is known as cache poisoning. Any later visitor can get redirected when clicking on a link on this page. Usually only anonymous users are affected, but this depends on the user's cache settings. Version 3.0.6 of Products.ATContentTypes has been released with a fix. This version works on Plone 5.2, Python 2 only. As a workaround, make sure the image_view_fullscreen page is not stored in the cache. More information about the vulnerability and cvmitigation measures is available in the GitHub Security Advisory. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2022-23599, GHSA-g4c2-ghfg-g5rh, PYSEC-2022-21
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-phf3-f5cb-xkfs |
|
|
|---|
| Fixing_vulnerabilities |
|
|---|
| Risk_score | null |
|---|
| Resource_url | http://public2.vulnerablecode.io/packages/pkg:pypi/products-atcontenttypes@2.1.19 |
|---|