VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-fewb-jdcf-1bfw

Essentials
Severities (19)
References (8)
Severity details (18)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-fewb-jdcf-1bfw
Aliases	CVE-2023-42458 GHSA-wm8q-9975-xh5v
Summary	Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) Zope is an open-source web application server. Prior to versions 4.8.10 and 5.8.5, there is a stored cross site scripting vulnerability for SVG images. Note that an image tag with an SVG image as source is never vulnerable, even when the SVG image contains malicious code. To exploit the vulnerability, an attacker would first need to upload an image, and then trick a user into following a specially crafted link. Patches are available in Zope 4.8.10 and 5.8.5. As a workaround, make sure the "Add Documents, Images, and Files" permission is only assigned to trusted roles. By default, only the Manager has this permission.
Status	Published
Exploitability	0.5
Weighted Severity	3.3
Risk	1.6
Affected and Fixed Packages	Package Details

Weaknesses (4)

CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-79	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-80	Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

System	Score	Found at
epss	0.00321	https://api.first.org/data/v1/epss?cve=CVE-2023-42458
cvssv3.1_qr	LOW	https://github.com/advisories/GHSA-wm8q-9975-xh5v
cvssv3.1	3.7	https://github.com/zopefoundation/Zope
generic_textual	LOW	https://github.com/zopefoundation/Zope
cvssv3.1	3.7	https://github.com/zopefoundation/Zope/commit/26a55dbc301db417f47cafda6fe0f983b5690088
generic_textual	LOW	https://github.com/zopefoundation/Zope/commit/26a55dbc301db417f47cafda6fe0f983b5690088
ssvc	Track	https://github.com/zopefoundation/Zope/commit/26a55dbc301db417f47cafda6fe0f983b5690088
cvssv3.1	3.7	https://github.com/zopefoundation/Zope/commit/603b0a12881c90a072a7a65e32d47ed898ce37cb
generic_textual	LOW	https://github.com/zopefoundation/Zope/commit/603b0a12881c90a072a7a65e32d47ed898ce37cb
ssvc	Track	https://github.com/zopefoundation/Zope/commit/603b0a12881c90a072a7a65e32d47ed898ce37cb
cvssv3.1	3.7	https://github.com/zopefoundation/Zope/security/advisories/GHSA-wm8q-9975-xh5v
cvssv3.1_qr	LOW	https://github.com/zopefoundation/Zope/security/advisories/GHSA-wm8q-9975-xh5v
generic_textual	LOW	https://github.com/zopefoundation/Zope/security/advisories/GHSA-wm8q-9975-xh5v
ssvc	Track	https://github.com/zopefoundation/Zope/security/advisories/GHSA-wm8q-9975-xh5v
cvssv3.1	3.7	https://nvd.nist.gov/vuln/detail/CVE-2023-42458
generic_textual	LOW	https://nvd.nist.gov/vuln/detail/CVE-2023-42458
cvssv3.1	3.7	http://www.openwall.com/lists/oss-security/2023/09/22/2
generic_textual	LOW	http://www.openwall.com/lists/oss-security/2023/09/22/2
ssvc	Track	http://www.openwall.com/lists/oss-security/2023/09/22/2

Reference id	Reference type	URL
		https://api.first.org/data/v1/epss?cve=CVE-2023-42458
		https://github.com/zopefoundation/Zope
		https://github.com/zopefoundation/Zope/commit/26a55dbc301db417f47cafda6fe0f983b5690088
		https://github.com/zopefoundation/Zope/commit/603b0a12881c90a072a7a65e32d47ed898ce37cb
		https://nvd.nist.gov/vuln/detail/CVE-2023-42458
		http://www.openwall.com/lists/oss-security/2023/09/22/2
GHSA-wm8q-9975-xh5v		https://github.com/advisories/GHSA-wm8q-9975-xh5v
GHSA-wm8q-9975-xh5v		https://github.com/zopefoundation/Zope/security/advisories/GHSA-wm8q-9975-xh5v

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N Found at https://github.com/zopefoundation/Zope

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N Found at https://github.com/zopefoundation/Zope/commit/26a55dbc301db417f47cafda6fe0f983b5690088

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-24T14:48:49Z/ Found at https://github.com/zopefoundation/Zope/commit/26a55dbc301db417f47cafda6fe0f983b5690088

Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N Found at https://github.com/zopefoundation/Zope/commit/603b0a12881c90a072a7a65e32d47ed898ce37cb

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-24T14:48:49Z/ Found at https://github.com/zopefoundation/Zope/commit/603b0a12881c90a072a7a65e32d47ed898ce37cb

Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N Found at https://github.com/zopefoundation/Zope/security/advisories/GHSA-wm8q-9975-xh5v

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-24T14:48:49Z/ Found at https://github.com/zopefoundation/Zope/security/advisories/GHSA-wm8q-9975-xh5v

Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2023-42458

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N Found at http://www.openwall.com/lists/oss-security/2023/09/22/2

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-24T14:48:49Z/ Found at http://www.openwall.com/lists/oss-security/2023/09/22/2

Exploit Prediction Scoring System (EPSS)

Percentile	0.55349
EPSS Score	0.00321
Published At	May 30, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-05-30T21:01:59.354647+00:00	GitLab Importer	Import	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/zope/CVE-2023-42458.yml	38.6.0