oss-sec mailing list archives
Re: CVE Request -- Zope/Plone -- Unspecified vulnerability in Zope v2.12.x and Zope v2.13.x allowing arbitrary code execution
From: Josh Bressers <bressers () redhat com>
Date: Fri, 30 Sep 2011 12:04:54 -0400 (EDT)
----- Original Message -----
Hello Josh, Steve, vendors, Plone upstream has published a pre-announcement about a security flaw, present in Zope v2.12.x and Zope v2.13.x, which could allow execution of arbitrary code by anonymous users. An authenticated attacker could provide a specially-crafted web page, which once visited by an unsuspecting Zope user would lead to arbitrary commands execution with the privileges of the Zope/Plone service. References: [1] http://plone.org/products/plone/security/advisories/20110928 [2] http://secunia.com/advisories/46221/ [3] https://bugzilla.redhat.com/show_bug.cgi?id=742297 Note: The vendor announced the final version of the advisory and the patch to be available at 2011-10-04 15:00 UTC at the following location: [4] http://plone.org/products/plone/security/advisories/20110928
Please use CVE-2011-3587 for this. Thanks. -- JB
Current thread:
- CVE Request -- Zope/Plone -- Unspecified vulnerability in Zope v2.12.x and Zope v2.13.x allowing arbitrary code execution Jan Lieskovsky (Sep 29)
- Re: CVE Request -- Zope/Plone -- Unspecified vulnerability in Zope v2.12.x and Zope v2.13.x allowing arbitrary code execution Josh Bressers (Sep 30)