The H – (International) Plone releases fixes for 24 vulnerabilities. After an alert the week of October 29 that Zope and the Plone CMS were vulnerable to 24 security holes that could have led to privilege escalation and code injection, the developers now released a hotfix for Plone that closes them. The hotfix was tested with Plone 4.2, Plone 4.1, Plone 4, Plone 3, Plone 2.5, and Plone 2.1. The list of flaws was extensive: issues include the ability for anonymous users to execute arbitrary Python in the admin interface, crafting of URLs which can log users out, an ability to escape the Python sandbox, cross-site scripting (XSS) issues, permissions bypasses, denial-ofservice through unsanitized inputs or by requesting large collections, anonymous manipulation of content item titles, unauthorized downloading of BLOB content, password timing attacks, and more. According to a Plone security team member, some of the vulnerabilities affect only Plone 3 or Plone 4, others are in Zope or other libraries. Although many of the issues are relatively minor, there are some serious issues within the 24 vulnerabilities. The developers did not break down the vulnerabilities publicly by which version or location is affected, but ensured that applying the hotfix to any vulnerable version of Plone removes the risk. Many of the issues were found by the Plone Security Team who were conducting an audit of the code, although some were reported by users.
Ali Loney, on November 06, 2012