CVE-2008-4571 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4571): Cross-site scripting (XSS) vulnerability in the LiveSearch module in Plone before 3.0.4 allows remote attackers to inject arbitrary web script or HTML via the Description field for search results, as demonstrated using the onerror Javascript even in an IMG tag.
I'm not 100% sure if our versions in the tree are vulnerable. Zope team, can you check that, the URL has a POC.
From http://www.securityfocus.com/bid/27098 it appears that none of the version that are in the tree are affected by this issue
correcting title and whiteboard. Tupone, the bugtraq link lists 2.5.5 in neither of "vulnerable" nor "not vulnerable", so that is not reliable information. According to http://plone.org/products/plone/releases/2.5.5 the 2.5.5 series is not supported upstream anymore, so from a general POV I would suggest we mark stable a newer versions. Are there any blockers or regressions that have to be resolved before that?
xss is b4, not b2
Working on stabilizing a newer version. I need net-zope/zope-2.10.6 for which a stabilization request as been done and net-zope/plone-3.1.{maybe 6?} for which I'd wait for 1 month without bugs before filing a request
Since we are dealing with a possible security bug, I'd like to get this fixed sooner than 4 weeks away from now. The plone 3 series is in the tree for months now, so let's target 2 weeks after the 3.1.6 commit -- Nov. 6.
tupone, usually we do security stablings right on the security bugs. but thanks for opening the bug anyway :-)
time for GLSA decision. XSS => no.
no as well