Plone Security Advisories

Please see the Plone Hotfix Page for patches and hotfixes addressing these advisories.  To report potentially security-related issues, please send a mail to the Plone Security Team at security@plone.org.

RSS Feed of Security Advisories

Security patch released: 20160419
Hotfix to patch various vulnerabilities
Security vulnerability pre-announcement: 20160419
Hotfix to patch various vulnerabilities
Security patch released: 20151208
Patch to Plone for unauthorized disclosure of registered user information
Security vulnerability pre-announcement: 20151208
Hotfix to patch various vulnerabilities
Security vulnerability: 20151006 - CSRF
Patches to Zope and Plone for multiple CSRF issues.
Security vulnerability pre-announcement: 20151006
Patches to Plone for a variety of issues
Security vulnerability: 20150910 - Multiple vectors
Patches to Zope and Plone for a variety of issues.
eea.facetednavigation vulnerability requires immediate upgrade
A medium severity vulnerability in the popular add-on product EEA Faceted Navigation.
20131210 - Pre-announcement of hotfix
In keeping with our new policy of 4-monthly hotfixes, we are announcing the planned release of a security fix on Tuesday 10th December 2013.
20130618 Hotfix update posted
Version 1.3 of 20130618 released.
Security Patch Delayed until 2013-06-18
download.zope.org server issues delaying hotfix
Security vulnerability announcement: 20130618 - Multiple vectors
Patches to Zope and Plone for a variety of issues, including arbitrary code execution and privilege escalation.
PloneFormGen vulnerability requires immediate upgrade
PloneFormGen, a widely used response-form-creation add-on for the Plone Content Management System, has been discovered to have a serious vulnerability that allows an anonymous attacker to execute arbitrary code with the privileges of the system user running the server.
Security vulnerability: 20121106 - Multiple vectors
Patches to Zope and Plone for a variety of issues, including arbitrary code execution and privilege escalation.
Security announcement: Zope Hotfix 20111024
The latest Zope security announcement does not affect most Plone installations.
Security vulnerability announcement: 20110928 - Arbitrary Code Execution
A vulnerability in Zope 2.12.x and Zope 2.13.x that allows execution of arbitrary code by anonymous users.
Security vulnerability announcement: CVE-2011-2528 – Privilege escalation
A highly serious vulnerability in Zope that allows unauthorised access
Hotfix Error: Hotfix20110531 version 1.0 is incomplete
A critical flaw has been found in version 1.0 of Hotfix20110531, an update is now available
Security vulnerability announcement: CVE-2011-1950 – An escalation of privileges attack
A vulnerability in plone.app.users affecting Plone 4.0 and 4.1.
Security vulnerability announcement: CVE-2011-1949 – A persistent cross site scripting vulnerability
A vulnerability in Plone versions using Products.PortalTransforms, including Plone 2.1 through 4.1.