Plone Security Advisories

Please see the Plone Hotfix Page for patches and hotfixes addressing these advisories.  To report potentially security-related issues, please send a mail to the Plone Security Team at

RSS Feed of Security Advisories

eea.facetednavigation vulnerability requires immediate upgrade
A medium severity vulnerability in the popular add-on product EEA Faceted Navigation.
20131210 - Pre-announcement of hotfix
In keeping with our new policy of 4-monthly hotfixes, we are announcing the planned release of a security fix on Tuesday 10th December 2013.
20130618 Hotfix update posted
Version 1.3 of 20130618 released.
Security Patch Delayed until 2013-06-18 server issues delaying hotfix
Security vulnerability announcement: 20130618 - Multiple vectors
Patches to Zope and Plone for a variety of issues, including arbitrary code execution and privilege escalation.
PloneFormGen vulnerability requires immediate upgrade
PloneFormGen, a widely used response-form-creation add-on for the Plone Content Management System, has been discovered to have a serious vulnerability that allows an anonymous attacker to execute arbitrary code with the privileges of the system user running the server.
Security vulnerability: 20121106 - Multiple vectors
Patches to Zope and Plone for a variety of issues, including arbitrary code execution and privilege escalation.
Security announcement: Zope Hotfix 20111024
The latest Zope security announcement does not affect most Plone installations.
Security vulnerability announcement: 20110928 - Arbitrary Code Execution
A vulnerability in Zope 2.12.x and Zope 2.13.x that allows execution of arbitrary code by anonymous users.
Security vulnerability announcement: CVE-2011-2528 – Privilege escalation
A highly serious vulnerability in Zope that allows unauthorised access
Hotfix Error: Hotfix20110531 version 1.0 is incomplete
A critical flaw has been found in version 1.0 of Hotfix20110531, an update is now available
Security vulnerability announcement: CVE-2011-1950 – An escalation of privileges attack
A vulnerability in affecting Plone 4.0 and 4.1.
Security vulnerability announcement: CVE-2011-1949 – A persistent cross site scripting vulnerability
A vulnerability in Plone versions using Products.PortalTransforms, including Plone 2.1 through 4.1.
Security vulnerability announcement: CVE-2011-1948 – A reflected cross site scripting vulnerability
A vulnerability in all Plone versions that allows specially crafted URLs to return arbitrary content.
Security vulnerability announcement: CVE-2011-0720 - Privilege escalation
A vulnerability in Plone 2.5 to Plone 4.0 that allows anonymous users to gain manager access to a Plone site.
CVE-2010-2422: HTML injection in safe_html
This update fixes a flaw in Plone's HTML filtering that allows arbitrary code to be injected into pages.
CVE-2009-0662: Authentication flaw in login form
This update fixes a flaw in the login form handling which allowed authenticated users to assume another identity.
CVE-2008-0164: Cross Site Request Forging (CSRF) security vulnerability
This update protects security sensitive forms in Plone from cross site request forgery (CSRF) attacks.
CVE-2007-5741: Unsafe data interpreted as pickles
This hotfix corrects a vulnerability in the statusmessages and linkintegrity modules, where unsafe network data was interpreted as python pickles. This allows an attacker to run arbitrary python code within the Zope/Plone process.
Zope XSS vulnerability, please update your sites
A vulnerability has been discovered in Zope, whereby misuse of certain types of HTTP GET could lead to elevated privileges. All Zope versions up to and including 2.10.2 are affected.