Forgot your password?
New user?
Document Actions
Advisories
Up one levelSecurity advisories for Plone.
CVE-2008-0164: Cross Site Request Forging (CSRF) security vulnerability
This update protects security sensitive forms in Plone from cross site request forgery (CSRF) attacks.
CVE-2007-5741: Unsafe data interpreted as pickles
This hotfix corrects a vulnerability in the statusmessages and linkintegrity modules, where unsafe network data was interpreted as python pickles. This allows an attacker to run arbitrary python code within the Zope/Plone process.
Zope XSS vulnerability, please update your sites
A vulnerability has been discovered in Zope, whereby misuse of certain types of HTTP GET could lead to elevated privileges. All Zope versions up to and including 2.10.2 are affected.
Security: PlonePAS user/group fix (CVE-2006-4249)
PlonePAS-using Plone releases (Plone 2.5 and Plone 2.5.1) has a potential vulnerability that allows a user to masquerade as a group. Please update your sites.
Password reset vulnerability (CVE-2006-4247)
The password reset tool product did not have proper security checks for its password reset method, allowing anonymous users to reset any users password through the web. Any site running Plone 2.5 should upgrade to the latest version of Password Reset Tool. Plone 2.1.x and 2.0.x are not affected.
Non-image member portraits
Plone did not verify if member portraits were real images. This allowed users to upload, for example, html pages to sites where they would otherwise not be able to create content.
Zope reStructuredText information disclosure (CVE-2006-4684)
A information disclosure vulnerability has been discovered in Zope/Plone's handling of csv_table command in reStructuredText content. Any Plone sites which allows untrusted users to add/edit RestructuredText content are vulnerable to this issue and should apply the hotfix.
Zope reStructuredText information disclosure (CVE-2006-3458)
A information disclosure vulnerability has been discovered in Zope/Plone's handling of reStructuredText content. Any Plone sites which allows untrusted users to add/edit RestructuredText content are vulnerable to this issue and should apply the hotfix.
Insufficient security checks for member portraits (CVE-2006-1711)
Plone 2.0.5, 2.1.2, and 2.5-beta1 do not restrict access to the (1) changeMemberPortrait, (2) deletePersonalPortrait, and (3) testCurrentPassword methods, which allows remote attackers to modify portraits.
