CVE-2023-42458

Public Exploit
Zope vulnerable to Stored Cross Site Scripting with SVG images

Description

Zope is an open-source web application server. Prior to versions 4.8.10 and 5.8.5, there is a stored cross site scripting vulnerability for SVG images. Note that an image tag with an SVG image as source is never vulnerable, even when the SVG image contains malicious code. To exploit the vulnerability, an attacker would first need to upload an image, and then trick a user into following a specially crafted link. Patches are available in Zope 4.8.10 and 5.8.5. As a workaround, make sure the "Add Documents, Images, and Files" permission is only assigned to trusted roles. By default, only the Manager has this permission.

Category

3.7
CVSS
Severity: Low
CVSS 3.1 •
EPSS 0.23%
Third-Party Advisory openwall.com Third-Party Advisory github.com
Affected: zopefoundation Zope
Published at:
Updated at:

References

Link Tags
https://github.com/zopefoundation/Zope/security/advisories/GHSA-wm8q-9975-xh5v third party advisory
https://github.com/zopefoundation/Zope/commit/26a55dbc301db417f47cafda6fe0f983b5690088 patch
https://github.com/zopefoundation/Zope/commit/603b0a12881c90a072a7a65e32d47ed898ce37cb patch
http://www.openwall.com/lists/oss-security/2023/09/22/2 third party advisory exploit

Frequently Asked Questions

What is the severity of CVE-2023-42458?
CVE-2023-42458 has been scored as a low severity vulnerability.
How to fix CVE-2023-42458?
To fix CVE-2023-42458, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2023-42458 being actively exploited in the wild?
It is possible that CVE-2023-42458 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2023-42458?
CVE-2023-42458 affects zopefoundation Zope.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.