Re: Plone security hotfix 20200121

[Maurits van Rees <maurits () vanrees org>]

We have received CVE numbers from mitre.org. Thanks. See inline below.

On 21/01/2020 23:49, Maurits van Rees wrote:
> A Plone security hotfix was released today.
>
> CVE numbers: not yet issued. We will request them shortly from mitre.org.
>
> Versions Affected: All supported Plone versions (4.3.15 and any earlier
> 4.x version, 5.2.1 and any earlier 5.x version). Previous versions could
> be affected but have not been tested.
>
> Versions Not Affected: None.
>
> Nature of vulnerability:
>
> The patch addresses several security issues:
>
> - Privilege escalation when plone.restapi is installed. Reported and
> fixed by Lukas Graf and Niklaus Johner.
CVE-2020-7938
> - An open redirection on the login form and possibly other places where
> redirects are done. The isURLInPortal check that is done to avoid linking to an externalsite could be tricked into 
> accepting malicious links. Reported by Damiano Esposito.
CVE-2020-7936
> - Password strength checks were not always checked. Reported by Ben Kummer.
CVE-2020-7940
> - You might be able to PUT (overwrite) some content without needing
> write permission.
>    This seems hard to do in practice. This fix is only needed when you
> use plone.app.contenttypes. Reported and fixed by Alessandro Pisa.
CVE-2020-7941
> - SQL quoting in DTML or in connection objects was insufficient, leading
> to possible SQL injections. This is a problem in Zope. If you use Zope
> without Plone, this hotfix should work for you too. Reported and fixed
> by Michael Brunnbauer and Michael Howitz.
CVE-2020-7939
> - Cross Site Scripting (XSS) in the title field on plone 5.0 and higher.
> Reported by Marcos Valle.
CVE-2020-7937

-- 
Maurits van Rees https://maurits.vanrees.org/