Plone Security Vulnerabilities and Fix Announced

On June 2nd, the Plone Security Team announced three security vulnerabilities in the Plone CMS, and released a Hotfix to eliminate the risk of them being exploited.

The Plone Security Team released details of all three issues, one involving a reflected cross site scripting vulnerability, one a persistent cross-site scripting vulnerability and one an escalation of privileges attack.  You can read the details of each by clicking the links above.

The team released at the same time a Hotfix to fix these vulnerabilities; and released an updated version of the Hotfix later in the same day to resolve a problem with the initial release.  If you by chance updated your site using the original fix, you should check out this document for more information.

The bottom line is that everyone running Plone should update their site to make sure it is not vulnerable.

Version 2.0 of this fix which contains a tighter check for potential attacks, is now available at http://plone.org/products/plone-hotfix/releases/20110531.