GHSA-hc5c-r8m5-2gfh: 
Python vulnerability analysis and mitigation

A stored cross-site scripting (XSS) vulnerability was discovered in plone.restapi versions 8.0.0 through 8.43.2 (CVE-2023-42458). The vulnerability affects SVG images uploaded as user portraits in the Plone content management system. The issue was disclosed on September 21, 2023, and affects both Plone 6.0 and Plone 5.2 on Python 3 installations (GitHub Advisory).

The vulnerability exists in the handling of SVG images uploaded as user portraits. While normal image tags with SVG sources are not vulnerable, the issue arises when an SVG image is uploaded as a user portrait and accessed through a specially crafted link. The vulnerability has been assigned a CVSS v3.1 score of 3.7 (Low severity) with the vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N, indicating network attack vector, high complexity, low privileges required, and user interaction required (GitHub Advisory).

If successfully exploited, this vulnerability could allow an attacker to execute cross-site scripting attacks through maliciously crafted SVG images. The impact is limited to scenarios where an attacker can upload an SVG image as a user portrait and convince a user to follow a specially crafted link to that portrait (GitHub Advisory).

The vulnerability has been patched in plone.restapi version 8.43.3. For Plone 6.0 and Plone 5.2 on Python 3, users should upgrade to this version. For earlier versions of plone.restapi (version 7 or earlier) where the @portrait endpoint didn't exist, a fix in Zope 4 is required. As a workaround, administrators can remove the portrait field from the member data schema, though this is considered a drastic measure (GitHub Advisory, Openwall).