Candidate: CVE-2016-7147
PublicDate: 2017-02-04 05:59:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7147
 https://plone.org/security/hotfix/20170117
 https://plone.org/security/hotfix/20170117/non-persistent-xss-in-zope2
 https://www.curesec.com/blog/article/blog/Plone-XSS-186.html
 https://github.com/zopefoundation/Zope/pull/86/commits/e130ee11fe36255b90c85404520b503e29e16e09
Description:
 Cross-site scripting (XSS) vulnerability in the manage_findResult component
 in the search feature in Zope ZMI in Plone before 4.3.12 and 5.x before
 5.0.7 allows remote attackers to inject arbitrary web script or HTML via
 vectors involving double quotes, as demonstrated by the obj_ids:tokens
 parameter. NOTE: this vulnerability exists because of an incomplete fix for
 CVE-2016-7140.
Ubuntu-Description:
Notes:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N [6.1 MEDIUM]

Patches_zope2.13:
upstream_zope2.13: needs-triage
precise_zope2.13: DNE
precise/esm_zope2.13: DNE
trusty_zope2.13: ignored (reached end-of-life)
trusty/esm_zope2.13: DNE (trusty was needed)
vivid/stable-phone-overlay_zope2.13: DNE
vivid/ubuntu-core_zope2.13: DNE
xenial_zope2.13: ignored (end of standard support, was needed)
yakkety_zope2.13: ignored (reached end-of-life)
zesty_zope2.13: ignored (reached end-of-life)
artful_zope2.13: ignored (reached end-of-life)
bionic_zope2.13: needed
cosmic_zope2.13: ignored (reached end-of-life)
disco_zope2.13: ignored (reached end-of-life)
eoan_zope2.13: DNE
focal_zope2.13: DNE
groovy_zope2.13: DNE
hirsute_zope2.13: DNE
impish_zope2.13: DNE
jammy_zope2.13: DNE
devel_zope2.13: DNE