Plone critical security hotfix addressing multiple vulnerabilities

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for davisagli from gravatar.com davisagli Avatar for esteele from gravatar.com esteele Avatar for laurencerowe from gravatar.com laurencerowe Avatar for MatthewWilkes from gravatar.com MatthewWilkes

Unverified details

These details have not been verified by PyPI
Project links
GitHub Statistics

View statistics for this project via Libraries.io, or by using our public dataset on Google BigQuery

Meta

License: GPL

Author: Plone security team

Tags security, hotfix, patch

Classifiers

Project description

Important note: This is version 2.0 of the hotfix and fixes a critical issue with version 1.0 of the hotfix. You should update your sites to version 2.0 even if you have already applied version 1.0 of the hotfix. The Plone security team apologizes for this error.

This hotfix fixes the following four vulnerabilities:

  1. Reflected XSS attack: A crafted URL can display arbitrary HTML output. This is a vulnerability in CMFPlone affecting all versions of Plone. Thanks to S. Streichsbier of SEC Consult for the responsible disclosure. See CVE-2011-1948 for details.

  2. Persistent XSS attack: Certain valid HTML will allow Javascript filtering to be bypassed. This is a vulnerability in Products.PortalTransforms affecting all versions of Plone using it, including 2.1 through 4.1. Thanks to Daniel Berlin and Dan Bentley both of Google and Brian Peters an independent researcher, for responsibly disclosing this independently of each other. See CVE-2011-1949 for details.

  3. Unauthorized data changes: One form allows users to edit the properties of other users. This is a vulnerability in plone.app.users affecting Plone 4.0 and 4.1. This vulnerability was not disclosed responsibly to the security team. See CVE-2011-1950 for details.

  4. Denial of service: A user can prevent other users from logging in. This is a vulnerability in Products.PluggableAuthService affecting all versions of Plone using it, including 2.5 through 4.1. Thanks to Alan Hoey of Team Rubber for the responsible disclosure. See PAS ticket #789858 for details.

This hotfix is supported on Plone 3 and 4. It is also known to work on Plone 2.5, and may work on older versions of Plone.

The fixes included here will be incorporated into subsequent releases of Plone, so Plone 4.0.7, 4.1rc3, and greater should not require this hotfix.

Installation

Installation instructions can be found at http://plone.org/products/plone-hotfix/releases/20110531

Changelog

2.0 (2011-06-02)

  • Fix a critical issue preventing correct functioning of one of the patches. [davisagli]

  • Avoid trying to patch safe_html.StrippingParser if it is not present (as in very old versions of PortalTransforms). [davisagli]

1.0 (2011-06-01)

  • Initial release [Plone security team]

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for davisagli from gravatar.com davisagli Avatar for esteele from gravatar.com esteele Avatar for laurencerowe from gravatar.com laurencerowe Avatar for MatthewWilkes from gravatar.com MatthewWilkes

Unverified details

These details have not been verified by PyPI
Project links
GitHub Statistics

View statistics for this project via Libraries.io, or by using our public dataset on Google BigQuery

Meta

License: GPL

Author: Plone security team

Tags security, hotfix, patch

Classifiers

Release history Release notifications | RSS feed

This version

2.0

1.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

Products.PloneHotfix20110531-2.0.zip (11.2 kB view hashes)

Uploaded Source

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page