CVE-2021-35959: 
Python vulnerability analysis and mitigation

A stored Cross-Site Scripting (XSS) vulnerability was discovered in Plone versions 5.0.0 through 5.2.4, identified as CVE-2021-35959. The vulnerability was discovered by Matt Moreschi and reported to the Plone security team. The issue affects Editors who are vulnerable to XSS attacks in the folder contents view when a Contributor creates a folder with a SCRIPT tag in the description field (OSS Security).

The vulnerability exists in the folder contents view functionality of Plone CMS. It allows a Contributor to inject malicious JavaScript code through SCRIPT tags in folder descriptions, which can then be executed when an Editor views the folder contents. This creates a stored XSS condition where the malicious code persists in the system (OSS Security).

When exploited, this vulnerability allows attackers with Contributor access to execute arbitrary JavaScript code in the context of Editor users viewing the affected folder contents. This could potentially lead to session hijacking, credential theft, or other malicious actions performed under the Editor's privileges.

A fix was released in the hotfix package version 1.5, available as Products.PloneHotfix20210518. The permanent fix was included in plone.app.content 3.8.8, which was subsequently included in Plone 5.2.5. Users are advised to either apply the hotfix package or upgrade to Plone 5.2.5 or later versions (OSS Security).