Security vulnerability announcement: CVE-2011-1950 – An escalation of privileges attack

A vulnerability in plone.app.users affecting Plone 4.0 and 4.1.

This is an escalation of privileges attack which makes it possible for an authenticated Plone user to edit the properties of other users, bypassing authorization checks.

As this vulnerability was disclosed publicly it is highly recommended that all site administrators and their privileged users reset their passwords.

Fix

The Hotfix for this vulnerability is Hotfix 20110531.

*** IMPORTANT ***: The original release of this hotfix that was made on May 31 had a critical flaw.  Please make sure you are using version 2.0 of the hotfix. The Plone security team apologizes for the error.

 

Information for security researchers

CVSS Base Score

6.8

Impact Subscore

6.9

Exploitability Subscore

8

Overall CVSS Score

6.8