CVE-2008-4571

Published: Oct 15, 2008Modified: Apr 23, 2026

4.3

Vector

AV:N/AC:M/Au:N/C:N/I:P/A:N

Exploitability: 8.6 / Impact: 2.9

Source: NVD

Description

Cross-site scripting (XSS) vulnerability in the LiveSearch module in Plone before 3.0.4 allows remote attackers to inject arbitrary web script or HTML via the Description field for search results, as demonstrated using the onerror Javascript even in an IMG tag.

Affected (11)

Products: Plone: Plone

1 product

Configuration A

11 vulnerable

Vulnerable Software	Affected Versions
Plone Plone	Up to 3.0.3
Plone Plone	Version 2.0.5
Plone Plone	Version 2.1.2
Plone Plone	Version 2.5.1
Plone Plone	Version 2.5.1_rc
Plone Plone	Version 2.5.4
Plone Plone	Version 2.5
Plone Plone	Version 2.5_beta1
Plone Plone	Version 3.0.1
Plone Plone	Version 3.0.2
Plone Plone	Version 3.0

Related CWEs

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (10)

http://dev.plone.org/plone/ticket/7439

Source: cve@mitre.org

ExploitVendor Advisory

http://osvdb.org/40660

Source: cve@mitre.org

http://plone.org/products/plone/releases/3.0.4

Source: cve@mitre.org

Patch

http://secunia.com/advisories/28293

Source: cve@mitre.org

Vendor Advisory

http://www.securityfocus.com/bid/27098

Source: cve@mitre.org

Patch

http://dev.plone.org/plone/ticket/7439

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitVendor Advisory

http://osvdb.org/40660

Source: af854a3a-2127-422b-91ae-364da2661108

http://plone.org/products/plone/releases/3.0.4

Source: af854a3a-2127-422b-91ae-364da2661108

Patch

http://secunia.com/advisories/28293

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

http://www.securityfocus.com/bid/27098

Source: af854a3a-2127-422b-91ae-364da2661108

Patch

Timeline

No history available yet.