Plone security advisory 20260623
Various vulnerabilities, including Remote Code Execution and Denial of Service
On behalf of the Plone/Zope Security Team I announce several vulnerability fixes.
- Remote Code Execution via TALES Injection, severity 9.9 critical
- Denial of service via iCalendar import, severity 9.1 critical
- Denial of service via RSS feed portlet, severity 9.1 critical
- Denial of Service due to excessive title/description/filename length, severity 6.5 moderate. This has fixes in two packages:
Two others were already made public recently, we list them here for good measure: icalendarand RestrictedPython.
Some are only a vulnerability on Classic UI (for example, Volto has no portlets), but others are a vulnerability on Volto as well.
All these combined, you should update your Plone sites to the following versions (formatted as pip constraints here):
Plone 6.2:
icalendar==7.1.3
plone.app.contenttypes==5.0.1
plone.app.dexterity==5.0.1
plone.app.event==6.0.1
plone.app.portlets==7.0.2
RestrictedPython==8.3
Plone 6.1:
plone.app.contenttypes==4.0.10
plone.app.dexterity==4.1.3
plone.app.event==5.2.4
plone.app.portlets==6.0.4
RestrictedPython==8.3
Plone 6.0:
plone.app.contenttypes==3.0.12
plone.app.dexterity==3.2.3
plone.app.event==5.2.4
plone.app.portlets==5.0.8
RestrictedPython==8.3; python_version > '3.10'
You may want to check if you have already applied the plone.app.textfield and plone.restapi fixes from the June 5 announcement.
If you think a security issue was incompletely solved, please contact the Plone/Zope Security Team via email at security@plone.org.
If these versions cause other problems, you can comment on the community forum announcement, or open an issue in the Products.CMFPlone tracker. Please check if anything was reported already.