Plone Security Advisories

by Matthew Wilkes last modified Oct 05, 2011 10:19 PM

Please see the Plone Hotfix Page for patches and hotfixes addressing these advisories.  To report potentially security-related issues, please send a mail to the Plone Security Team at security@plone.org.

RSS Feed of Security Advisories

eea.facetednavigation vulnerability requires immediate upgrade by Matthew Wilkes — last modified Jan 29, 2014 11:27 AM
A medium severity vulnerability in the popular add-on product EEA Faceted Navigation.
20131210 - Pre-announcement of hotfix by Matthew Wilkes — last modified Dec 10, 2013 02:50 PM
In keeping with our new policy of 4-monthly hotfixes, we are announcing the planned release of a security fix on Tuesday 10th December 2013.
20130618 Hotfix update posted by Nathan Van Gheem — last modified Jul 02, 2013 01:50 PM
Version 1.3 of 20130618 released.
Security Patch Delayed until 2013-06-18 by Nathan Van Gheem — last modified Jun 11, 2013 02:23 PM
download.zope.org server issues delaying hotfix
Security vulnerability announcement: 20130618 - Multiple vectors by Matthew Wilkes — last modified Oct 15, 2013 03:11 PM
Patches to Zope and Plone for a variety of issues, including arbitrary code execution and privilege escalation.
PloneFormGen vulnerability requires immediate upgrade by Steve McMahon — last modified May 29, 2013 11:12 PM
PloneFormGen, a widely used response-form-creation add-on for the Plone Content Management System, has been discovered to have a serious vulnerability that allows an anonymous attacker to execute arbitrary code with the privileges of the system user running the server.
Security vulnerability: 20121106 - Multiple vectors by Matthew Wilkes — last modified Nov 07, 2012 04:18 PM
Patches to Zope and Plone for a variety of issues, including arbitrary code execution and privilege escalation.
Security announcement: Zope Hotfix 20111024 by Steve McMahon — last modified Oct 28, 2011 03:46 PM
The latest Zope security announcement does not affect most Plone installations.
Security vulnerability announcement: 20110928 - Arbitrary Code Execution by Steve McMahon — last modified Oct 30, 2012 08:00 PM
A vulnerability in Zope 2.12.x and Zope 2.13.x that allows execution of arbitrary code by anonymous users.
Security vulnerability announcement: CVE-2011-2528 – Privilege escalation by Laurence Rowe — last modified Aug 01, 2011 09:59 AM
A highly serious vulnerability in Zope that allows unauthorised access
Hotfix Error: Hotfix20110531 version 1.0 is incomplete by Matthew Wilkes — last modified Jun 02, 2011 04:45 PM
A critical flaw has been found in version 1.0 of Hotfix20110531, an update is now available
Security vulnerability announcement: CVE-2011-1950 – An escalation of privileges attack by Matthew Wilkes — last modified Jun 22, 2011 12:05 AM
A vulnerability in plone.app.users affecting Plone 4.0 and 4.1.
Security vulnerability announcement: CVE-2011-1949 – A persistent cross site scripting vulnerability by Matthew Wilkes — last modified Jun 22, 2011 12:02 AM
A vulnerability in Plone versions using Products.PortalTransforms, including Plone 2.1 through 4.1.
Security vulnerability announcement: CVE-2011-1948 – A reflected cross site scripting vulnerability by Matthew Wilkes — last modified Jun 22, 2011 12:02 AM
A vulnerability in all Plone versions that allows specially crafted URLs to return arbitrary content.
Security vulnerability announcement: CVE-2011-0720 - Privilege escalation by Matthew Wilkes — last modified Jun 01, 2011 04:07 PM
A vulnerability in Plone 2.5 to Plone 4.0 that allows anonymous users to gain manager access to a Plone site.
CVE-2010-2422: HTML injection in safe_html by Matthew Wilkes — last modified Jul 02, 2010 09:52 AM
This update fixes a flaw in Plone's HTML filtering that allows arbitrary code to be injected into pages.
CVE-2009-0662: Authentication flaw in login form by Wichert Akkerman — last modified Apr 21, 2009 04:10 PM
This update fixes a flaw in the login form handling which allowed authenticated users to assume another identity.
CVE-2008-0164: Cross Site Request Forging (CSRF) security vulnerability by Wichert Akkerman — last modified May 14, 2008 08:46 AM
This update protects security sensitive forms in Plone from cross site request forgery (CSRF) attacks.
CVE-2007-5741: Unsafe data interpreted as pickles by Wichert Akkerman — last modified Nov 17, 2007 09:33 AM
This hotfix corrects a vulnerability in the statusmessages and linkintegrity modules, where unsafe network data was interpreted as python pickles. This allows an attacker to run arbitrary python code within the Zope/Plone process.
Zope XSS vulnerability, please update your sites by Alex Limi — last modified Mar 21, 2007 06:15 AM
A vulnerability has been discovered in Zope, whereby misuse of certain types of HTTP GET could lead to elevated privileges. All Zope versions up to and including 2.10.2 are affected.