Plone Security Advisories

by Matthew Wilkes last modified Oct 05, 2011 10:19 PM

Please see the Plone Hotfix Page for patches and hotfixes addressing these advisories.  To report potentially security-related issues, please send a mail to the Plone Security Team at security@plone.org.

RSS Feed of Security Advisories

Security vulnerability: 20121106 - Multiple vectors by Matthew Wilkes — last modified Nov 07, 2012 04:18 PM
Patches to Zope and Plone for a variety of issues, including arbitrary code execution and privilege escalation.
Security announcement: Zope Hotfix 20111024 by Steve McMahon — last modified Oct 28, 2011 03:46 PM
The latest Zope security announcement does not affect most Plone installations.
Security vulnerability announcement: 20110928 - Arbitrary Code Execution by Steve McMahon — last modified Oct 30, 2012 08:00 PM
A vulnerability in Zope 2.12.x and Zope 2.13.x that allows execution of arbitrary code by anonymous users.
Security vulnerability announcement: CVE-2011-2528 – Privilege escalation by Laurence Rowe — last modified Aug 01, 2011 09:59 AM
A highly serious vulnerability in Zope that allows unauthorised access
Hotfix Error: Hotfix20110531 version 1.0 is incomplete by Matthew Wilkes — last modified Jun 02, 2011 04:45 PM
A critical flaw has been found in version 1.0 of Hotfix20110531, an update is now available
Security vulnerability announcement: CVE-2011-1950 – An escalation of privileges attack by Matthew Wilkes — last modified Jun 22, 2011 12:05 AM
A vulnerability in plone.app.users affecting Plone 4.0 and 4.1.
Security vulnerability announcement: CVE-2011-1949 – A persistent cross site scripting vulnerability by Matthew Wilkes — last modified Jun 22, 2011 12:02 AM
A vulnerability in Plone versions using Products.PortalTransforms, including Plone 2.1 through 4.1.
Security vulnerability announcement: CVE-2011-1948 – A reflected cross site scripting vulnerability by Matthew Wilkes — last modified Jun 22, 2011 12:02 AM
A vulnerability in all Plone versions that allows specially crafted URLs to return arbitrary content.
Security vulnerability announcement: CVE-2011-0720 - Privilege escalation by Matthew Wilkes — last modified Jun 01, 2011 04:07 PM
A vulnerability in Plone 2.5 to Plone 4.0 that allows anonymous users to gain manager access to a Plone site.
CVE-2010-2422: HTML injection in safe_html by Matthew Wilkes — last modified Jul 02, 2010 09:52 AM
This update fixes a flaw in Plone's HTML filtering that allows arbitrary code to be injected into pages.
CVE-2009-0662: Authentication flaw in login form by Wichert Akkerman — last modified Apr 21, 2009 04:10 PM
This update fixes a flaw in the login form handling which allowed authenticated users to assume another identity.
CVE-2008-0164: Cross Site Request Forging (CSRF) security vulnerability by Wichert Akkerman — last modified May 14, 2008 08:46 AM
This update protects security sensitive forms in Plone from cross site request forgery (CSRF) attacks.
CVE-2007-5741: Unsafe data interpreted as pickles by Wichert Akkerman — last modified Nov 17, 2007 09:33 AM
This hotfix corrects a vulnerability in the statusmessages and linkintegrity modules, where unsafe network data was interpreted as python pickles. This allows an attacker to run arbitrary python code within the Zope/Plone process.
Zope XSS vulnerability, please update your sites by Alex Limi — last modified Mar 21, 2007 06:15 AM
A vulnerability has been discovered in Zope, whereby misuse of certain types of HTTP GET could lead to elevated privileges. All Zope versions up to and including 2.10.2 are affected.
Security: PlonePAS user/group fix (CVE-2006-4249) by Alex Limi — last modified Nov 02, 2006 06:03 PM
PlonePAS-using Plone releases (Plone 2.5 and Plone 2.5.1) has a potential vulnerability that allows a user to masquerade as a group. Please update your sites.
Zope reStructuredText information disclosure (CVE-2006-4684) by Wichert Akkerman — last modified Oct 02, 2006 12:08 PM
A information disclosure vulnerability has been discovered in Zope/Plone's handling of csv_table command in reStructuredText content. Any Plone sites which allows untrusted users to add/edit RestructuredText content are vulnerable to this issue and should apply the hotfix.
Non-image member portraits by Wichert Akkerman — last modified Oct 02, 2006 12:08 PM
Plone did not verify if member portraits were real images. This allowed users to upload, for example, html pages to sites where they would otherwise not be able to create content.
Password reset vulnerability (CVE-2006-4247) by Wichert Akkerman — last modified Sep 29, 2006 10:33 PM
The password reset tool product did not have proper security checks for its password reset method, allowing anonymous users to reset any users password through the web. Any site running Plone 2.5 should upgrade to the latest version of Password Reset Tool. Plone 2.1.x and 2.0.x are not affected.
Zope reStructuredText information disclosure (CVE-2006-3458) by Wichert Akkerman — last modified Oct 02, 2006 12:08 PM
A information disclosure vulnerability has been discovered in Zope/Plone's handling of reStructuredText content. Any Plone sites which allows untrusted users to add/edit RestructuredText content are vulnerable to this issue and should apply the hotfix.
Insufficient security checks for member portraits (CVE-2006-1711) by Wichert Akkerman — last modified Oct 02, 2006 12:09 PM
Plone 2.0.5, 2.1.2, and 2.5-beta1 do not restrict access to the (1) changeMemberPortrait, (2) deletePersonalPortrait, and (3) testCurrentPassword methods, which allows remote attackers to modify portraits.
Document Actions