Zope Web Application Server Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) Vulnerability - CVE-2023-42458

Zope is an open-source web application server. Prior to versions 4.8.10 and 5.8.5 there is a stored cross site scripting vulnerability for SVG images. Note that an image tag with an SVG image as source is never vulnerable even when the SVG image contains malicious code. To exploit the vulnerability an attacker would first need to upload an image and then trick a user into following a specially crafted link. Patches are available in Zope 4.8.10 and 5.8.5. As a workaround make sure the quotAdd Documents Images and Filesquot permission is only assigned to trusted roles. By default only the Manager has this permission.