CVE-2022-23599

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2022-23599

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-23599.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2022-23599

Aliases

Published

2022-01-28T22:00:15Z

Modified

2025-12-06T00:06:11.363484Z

Severity

4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N CVSS Calculator

Summary

Cross-site Scripting and Open Redirect in Products.ATContentTypes

Details

Products.ATContentTypes are the core content types for Plone 2.1 - 4.3. Versions of Plone that are dependent on Products.ATContentTypes prior to version 3.0.6 are vulnerable to reflected cross site scripting and open redirect when an attacker can get a compromised version of the imageviewfullscreen page in a cache, for example in Varnish. The technique is known as cache poisoning. Any later visitor can get redirected when clicking on a link on this page. Usually only anonymous users are affected, but this depends on the user's cache settings. Version 3.0.6 of Products.ATContentTypes has been released with a fix. This version works on Plone 5.2, Python 2 only. As a workaround, make sure the imageviewfullscreen page is not stored in the cache. More information about the vulnerability and cvmitigation measures is available in the GitHub Security Advisory.

Database specific

{
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/23xxx/CVE-2022-23599.json"
}

References

Affected packages

Git / github.com/plone/plone.namedfile

Affected ranges

Type: GIT
Repo: https://github.com/plone/plone.namedfile
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

93fb712524e8e00f9d10ca6afe149b422a641451

Affected versions

1.*

1.0

1.0.1

1.0.2

1.0.3

1.0.4

1.0.5

1.0.6

1.0b5

1.0b6

1.0b7

1.0b8

2.*

2.0

2.0.1

2.0.2

2.0.3

2.0.4

2.0.5

2.1.0

3.*

3.0.0

3.0.1

3.0.2

3.0.3

3.0.4

3.0.5

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-23599.json"

Git / github.com/plone/products.atcontenttypes

Affected ranges

Type: GIT
Repo: https://github.com/plone/products.atcontenttypes
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

fc793f88f35a15a68b52e4abed77af0da5fdbab8

Affected versions

1.*

1.2.6

1.2.7

2.*

2.0

2.0.1

2.0.2

2.0.3

2.0.4

2.0.5

2.0.6

2.0a1

2.0a2

2.0a3

2.0a4

2.0a5

2.0a6

2.0b1

2.0b10

2.0b11

2.0b2

2.0b3

2.0b4

2.0b5

2.0b6

2.0b7

2.0b8

2.0b9

2.1.0

2.1.1

2.1.10

2.1.11

2.1.12

2.1.2

2.1.3

2.1.4

2.1.5

2.1.6

2.1.7

2.1.8

2.1.9

2.2.0

2.2.1

2.2.10

2.2.11

2.2.12

2.2.2

2.2.3

2.2.4

2.2.5

2.2.6

2.2.7

2.2.8

2.2.9

2.3

2.3.1

2.3.2

2.3.3

2.3.4

2.3.5

2.3.6

3.*