oss-sec mailing list archives
CVE Request: Plone CSRF
From: Nathan Van Gheem <nathan.van.gheem () plone org>
Date: Mon, 12 Oct 2015 09:47:06 -0500
Hi, Can a CVE be assigned to this issue, please? https://plone.org/security/20151006/multiple-csrf-vulnerabilities-in-zope Plone is built on the Zope2 application framework. In the Zope2 application framework, there are multiple CSRF vulnerabilities. The latest version of Plone has automatic CSRF protection integrated at the database layer. This patch basically backports the latest automatically CSRF infrastructure to Plone 4.x. The relevant code is in: https://github.com/plone/plone.protect and https://github.com/plone/plone4.csrffixes finally, more information about the problem: https://plone.org/products/plone/security/advisories/security-vulnerability-20151006-csrf The vendor credits with the discovery: John Page ( hyp3rlinx ) Thanks, let me know if you'd like more information. Thanks, Nathan
Current thread:
- CVE Request: Plone CSRF Nathan Van Gheem (Oct 12)
- Re: CVE Request: Plone CSRF cve-assign (Oct 12)
- Re: CVE Request: Plone CSRF Nathan Van Gheem (Oct 12)
- Re: CVE Request: Plone CSRF cve-assign (Oct 12)