A vulnerability has been discovered in Volto, the default NodeJS
frontend for the Plone CMS.
### Impact
When visiting a specific URL, an anonymous user could cause the NodeJS
server part of Volto to quit with an error.
### Patches
The problem has been patched and the patch has been backported to Volto
major versions down until 16. It is advised to upgrade to the latest
patch release of your respective current major version:
* Volto 16: [16.34.0](https://github.com/plone/volto/releases/tag/16.34.0)
* Volto 17: [17.22.1](https://github.com/plone/volto/releases/tag/17.22.1)
* Volto 18: [18.24.0](https://github.com/plone/volto/releases/tag/18.24.0)
* Volto 19:
[19.0.0-alpha4](https://github.com/plone/volto/releases/tag/19.0.0-alpha.4)
### Workarounds
Make sure your setup automatically restarts processes that quit with an
error. This won't prevent a crash, but it minimises downtime.
### Report
The problem was discovered by FHNW, a client of Plone provider
kitconcept, who shared it with the Plone Zope Security Team
([email protected]).
### Github Advisory
The same information was published to GitHub in this
[advisory](https://github.com/plone/volto/security/advisories/GHSA-xjhf-7833-3pm5).
Maurits van Rees
Plone/Zope Security Team
