CVE-2022-23599 is a medium-severity vulnerability affecting Products.ATContentTypes, which are core content types used in Plone versions 2.1 through 4.3. Plone is an open-source content management system widely used for building websites and intranets. The vulnerability arises from a reflected cross-site scripting (XSS) and open redirect issue linked to the image_view_fullscreen page. Specifically, if an attacker can poison a cache—such as Varnish caching proxy—with a compromised version of this page, subsequent visitors retrieving the cached page may be redirected to malicious sites when clicking on links within it. This attack vector is known as cache poisoning. The vulnerability primarily affects anonymous users, although the impact can vary depending on individual user cache settings. The root cause is improper sanitization of input parameters leading to reflected XSS (CWE-79) and open redirect flaws. The issue was addressed in version 3.0.6 of Products.ATContentTypes, which is compatible with Plone 5.2 running on Python 2. As an interim mitigation, administrators are advised to configure caching layers to exclude the image_view_fullscreen page from being cached, preventing poisoned content from being served to users. No known exploits have been reported in the wild to date. The CVSS v3.1 base score is 4.3 (medium), reflecting that the attack can be performed remotely without privileges but requires user interaction and results in limited confidentiality impact without affecting integrity or availability.

For European organizations utilizing Plone CMS versions dependent on vulnerable Products.ATContentTypes (prior to 3.0.6), this vulnerability poses a risk of client-side attacks via reflected XSS and open redirects. Attackers could exploit cache poisoning to serve malicious content to website visitors, potentially leading to phishing, session hijacking, or redirection to malicious sites. While the direct impact on the server or backend systems is minimal, the reputational damage and loss of user trust can be significant, especially for public-facing websites of government agencies, educational institutions, and enterprises. Since anonymous users are primarily affected, organizations with high volumes of public traffic are at greater risk. The vulnerability does not compromise data integrity or availability but can lead to leakage of sensitive information through client-side attacks. The reliance on caching proxies like Varnish in European deployments increases the attack surface if cache configurations are not properly hardened. Given the medium severity and the availability of a patch, the impact is manageable but requires timely remediation to prevent exploitation.

1. Upgrade Products.ATContentTypes to version 3.0.6 or later, which contains the fix for this vulnerability. Ensure that the Plone instance is compatible with this version, particularly if running Plone 5.2 on Python 2. 2. Configure caching layers such as Varnish or other reverse proxies to exclude the image_view_fullscreen page from being cached. This prevents cache poisoning attacks by ensuring that maliciously crafted pages are not stored and served to other users. 3. Implement strict Content Security Policy (CSP) headers to limit the impact of reflected XSS by restricting the sources of executable scripts and preventing inline script execution. 4. Conduct regular security audits and penetration testing focusing on cache configurations and input sanitization in Plone-based websites. 5. Educate administrators and developers about secure coding practices related to input validation and output encoding to prevent reflected XSS and open redirect vulnerabilities in future customizations. 6. Monitor web traffic and logs for unusual redirect patterns or cache anomalies that could indicate attempted exploitation.