CVE-2022-23599: 
Python vulnerability analysis and mitigation

Products.ATContentTypes, a core content type package for Plone 2.1 - 4.3, was found to contain a vulnerability identified as CVE-2022-23599. The vulnerability was discovered and disclosed on January 28, 2022, affecting versions prior to 3.0.6. The issue involves reflected cross-site scripting and open redirect vulnerabilities that can be exploited through cache poisoning techniques (GitHub Advisory).

The vulnerability stems from improper handling of the image_view_fullscreen page in cached content. When an attacker can get a compromised version of this page into a cache (such as Varnish), it becomes vulnerable to both reflected XSS and open redirect attacks. The vulnerability has been assigned a CVSS v3.1 base score of 6.1 (MEDIUM) by NVD and 4.3 (MEDIUM) by GitHub, with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N. The vulnerability is classified under CWE-79 (Cross-site Scripting) and CWE-601 (URL Redirection to Untrusted Site) (NVD).

The vulnerability primarily affects anonymous users, though the impact can vary depending on cache settings. When successfully exploited, any subsequent visitor to the compromised page can be redirected when clicking on links, potentially leading to phishing attacks or unauthorized data access. The attack technique involves cache poisoning, which can persist and affect multiple users accessing the cached content (GitHub Advisory).

The primary mitigation is to upgrade to Products.ATContentTypes version 3.0.6 or later, which includes a security fix. For unpatched versions, a workaround involves preventing the image_view_fullscreen page from being stored in the cache. This can be accomplished by logging in as Manager, accessing Site Setup, navigating to the 'Caching' control panel, and removing 'image_view_fullscreen' from the 'Content item view' ruleset under 'Legacy template mappings' (GitHub Advisory).