Plone Hotfix 20130618 (Jun 18, 2013)

A hotfix for all versions of Plone <= 4.2.5 and Plone 4.3 <= 4.3. Fixes various vulnerabilities in Zope and Plone including arbitrary code execution and privilege escalation.

For additional information about this project, please visit the overview page .

Available downloads

For all platforms (14.1 KB)

For all platforms (13.7 KB)

For all platforms (13.1 KB)

Release Notes

Tested with Plone 4.3, Plone 4.2, Plone 4.1, Plone 4, Plone 3, Plone 2.5, Plone 2.1
State Final release
License GPL
Release Manager Security Team

See for additional background on this hotfix.

This hotfix should be applied to the following versions of Plone

  • Plone <= 4.3.1
  • Plone <= 4.2.5
  • Any older version of Plone including 2.1, 2.5, 3.0, 3.1, 3.2, 3.3, 4.0, and 4.1

Hotfix versions

Please note that there is a version 1.3 of the hotfix. Version 1.0 was discovered to cause problems on Plone 2.1 systems and with certain add ons in other versions of Plone. Version 1.1 also contained a few mintor issues. If you're just getting around to installing the hotfix now or if you're experiencing issues with version 1.0 or 1.1 of the hotfix, please install version 1.3.

Installation instructions

The procedure for installing Hotfix 20130618 differs slightly based on which version of Plone or Zope you are running, and whether you installed Plone or Zope using Buildout.

Backup First!

It is prudent to backup all of your data and installation files before installing any Plone add-on, including this hotfix.  If you already have a solid Plone backup routine in place, then you can skip this step and proceed.

If you don't already have a backup of your Plone site, the simplest way to back up your Plone instance is to simply copy your entire Zope instance folder or buildout folder to a secure location.

Recommended Install Procedure

If you're less experienced with Plone, the easiest way to install Hotfix 20130618 on Plone 3.0 - Plone 4.x is as follows:

1) Download the hotfix archive using the link above.  If you have an md5 tool available (Linux or Mac) check the signature matches

MD5 (




2) Place the downloaded zip file into the "products" directory in your Zope instance. On pre-buildout installations, this will be "Products".

3) Unpack the zip file.

On Linux or Mac, the command is:

 $ unzip

On Windows, use your favorite archiving product.  (7Zip is a good choice.)

4)  Restart your Zope instance in foreground mode to ensure that the hotfix is installed.

On Mac or Linux, the command is typically:

 $ bin/instance fg

On Windows, the command is typically:

> bin\instance.exe fg

Zope will start in the foreground, and you should see the message "INFO PloneHotfix20130618 Hotfix installed. " during startup.

5) Stop the foreground instance of Zope by hitting CTRL-C

6) Restart your Zope instance.

On Mac or Linux, the command is typically:

$ bin/instance start

On Windows, the command is typically:

> bin\instance.exe start

Installing with Buildout

If you are an experienced Plone administrator, and you are using a Buildout-based installation of Plone, you may choose to install Hotfix 20130618 with Buildout. However, if you choose to do this, you must be certain that you will not accidentally overwrite Plone components with newer versions.  This is particularly likely if you try to use Buildout with Plone 3 or Plone 3.1.

If you are not sure what you're doing, please use the "Recommended Installation Instructions" above.

1) Find your buildout.cfg file, typically located in the "zinstance" subdirectory of your Plone installation directory. 
2) Open your buildout.cfg file in your favorite text editor. 
3) Scroll down to the "eggs" section of the buildout and add Products.PloneHotfix20130618, e.g.

eggs = 

4) Rerun buildout.

On Mac or Linux, the command is:

$ ./bin/buildout -Nv

On windows, the command is:

> bin\buildout.exe -Nv

5) Restart your Zope instance.

On Mac or Linux, the command is:

$ ./bin/instance start

On Windows, the command is:

> bin\instance.exe start

Alternatively, on Windows, you may restart the Zope service via the Windows Services control panel.