oss-sec mailing list archives

Re: CVE Request -- Zope/Plone -- Unspecified vulnerability in Zope v2.12.x and Zope v2.13.x allowing arbitrary code execution

From: Josh Bressers <bressers () redhat com>
Date: Fri, 30 Sep 2011 12:04:54 -0400 (EDT)



----- Original Message -----

Hello Josh, Steve, vendors,

   Plone upstream has published a pre-announcement about a security
flaw, present in Zope v2.12.x and Zope v2.13.x, which could allow
execution of arbitrary code by anonymous users. An authenticated
attacker could provide a specially-crafted web page, which once
visited by an unsuspecting Zope user would lead to arbitrary commands
execution with the privileges of the Zope/Plone service.

References:
[1] http://plone.org/products/plone/security/advisories/20110928
[2] http://secunia.com/advisories/46221/
[3] https://bugzilla.redhat.com/show_bug.cgi?id=742297

Note: The vendor announced the final version of the advisory and
       the patch to be available at 2011-10-04 15:00 UTC at the
       following location:
       [4]
       http://plone.org/products/plone/security/advisories/20110928


Please use CVE-2011-3587 for this.

Thanks.

-- 
    JB

Current thread:

CVE Request -- Zope/Plone -- Unspecified vulnerability in Zope v2.12.x and Zope v2.13.x allowing arbitrary code execution Jan Lieskovsky (Sep 29)
- Re: CVE Request -- Zope/Plone -- Unspecified vulnerability in Zope v2.12.x and Zope v2.13.x allowing arbitrary code execution Josh Bressers (Sep 30)