A possible XSS security issue has been found in LinguaPlone caused by displaying unquoted user entered data in the translation browser popup. The translation browser popup is only available from the advanced manage translations screen.
The issue has been reported to the Plone security team by Andrew Nicholson of infiniterecursion.com.au.
Affected versions of LinguaPlone
All past and present versions of LinguaPlone are vulnerable.
Updated versions
The issue has been fixed in the following versions of LinguaPlone:
For Plone 4.x install:
http://pypi.python.org/pypi/Products.LinguaPlone/4.0
For Plone 3.3.x install:
http://pypi.python.org/pypi/Products.LinguaPlone/3.2
For Plone 3.1.5 or later and Plone 3.2.x install:
http://pypi.python.org/pypi/Products.LinguaPlone/2.4.1
Older versions of LinguaPlone are no longer maintained.
Reported incidents
No incidents of this vulnerability being exploited have been reported.