oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE Request: Plone Privilege Escalation

From: Nathan Van Gheem <nathan.van.gheem () plone org>
Date: Sat, 19 Sep 2015 10:47:29 -0500
Hi,

Can a CVE be assigned to this issue, please?

   https://plone.org/security/20150910/privilege-escalation-in-kupu

An incorrect security declaration would allow any authenticated user to
edit kupu settings--the wysiwyg editor for old versions of Plone. Versions
affected are all versions Plone 3 through 4.2. A hotfix has been posted
only as releases are not made of these versions any longer.

The relevant code is:

https://plone.org/security/20150910/

The vendor credits with the discovery: Richard Mitchell

Thanks, let me know if you'd like more information.

Nathan
Previous By Date Next
Previous By Thread Next

Current thread: