Personal tools
You are here: Home About Security Advisories Insufficient security checks for member portraits (CVE-2006-1711)
Navigation
Log in


Forgot your password?
New user?
 
Document Actions

Insufficient security checks for member portraits (CVE-2006-1711)

by Wichert Akkerman last modified October 2, 2006 - 12:09

Plone 2.0.5, 2.1.2, and 2.5-beta1 do not restrict access to the (1) changeMemberPortrait, (2) deletePersonalPortrait, and (3) testCurrentPassword methods, which allows remote attackers to modify portraits.

This issue has been assigned CVE-2006-1711.

Vulnerability details

Plone 2.0.5, 2.1.2, and 2.5-beta1 do not restrict access to the (1) changeMemberPortrait, (2) deletePersonalPortrait, and (3) testCurrentPassword methods, which allows remote attackers to modify portraits.

Affected versions

All 2.0 and 2.1 Plone versions are affected
  • All Plone 2.0 versions
  • Plone 2.1 up to version 2.1.3
Plone 2.5 is not affected.

Installing the hotfix

If you can not upgrade your Plone or if your Plone version has no fixed release yet can install Plone Hotfix 2006-04-10. The hotfix can be installed as a normal Zope product:
  • extract it in the Products directory of your Zope instance
  • restart Zope
  • verify that the hotfix is listed in the product management page in the Zope control panel
.
 

For any issues with the web site functionality, please file a ticket.

Please consult the policy on plone.org content if you want your content published on this site.

Servers and hosting by