Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 353590 (CVE-2011-0720)

Summary: net-zope/plone: escalation of privileges (CVE-2011-0720)
Product: Gentoo Security Reporter: Paweł Hajdan, Jr. (RETIRED) <phajdan.jr>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED OBSOLETE    
Severity: minor CC: net-zope+disabled
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://plone.org/products/plone/security/advisories/cve-2011-0720
Whiteboard: B3? [noglsa]
Package list:
Runtime testing required: ---

Description Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-02-03 07:20:05 UTC 
A vulnerability in Plone 2.5 to Plone 4.0 that allows anonymous users to gain manager access to a Plone site.

This is an escalation of privileges attack that can be used by anonymous users to gain access to a Plone site's administration controls, view unpublished content, create new content and modify a site's skin.  The sandbox protecting access to the underlying system is still in place, and it does not grant access to other applications running on the same Zope instance.
Comment 1 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-02-10 21:38:15 UTC 
Upstream has released a hotfix: http://plone.org/products/plone-hotfix/releases/CVE-2011-0720/
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2011-06-24 20:01:30 UTC 
CVE-2011-0720 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0720):
  Unspecified vulnerability in Plone 2.5 through 4.0, as used in Conga, luci,
  and possibly other products, allows remote attackers to obtain
  administrative access, read or create arbitrary content, and change the site
  skin via unknown vectors.
Comment 3 Chris Reffett (RETIRED) gentoo-dev Security 2013-09-03 18:23:09 UTC 
Plone is long gone from tree.