Access Restriction Bypass

Affecting plone package, versions [5.0,5.1a1]

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

plone is a Content Management System.

Affected versions of this package are vulnerable to Bypass Restricted Python. This vulnerability should only affect site administrators who have ZMI access, or when you gave users permission to edit PloneFormGen templates. Only Chameleon (five.pt) is affected. This package is used by default in Plone 5, and can be added in Plone 4.

References

CVSS Score

4.9
medium severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    High
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    None
  • Integrity
    High
  • Availability
    None
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
Credit
Fred van Dijk, Maurits van Rees
CVE
CVE-2016-4043
CWE
CWE-284
Snyk ID
SNYK-PYTHON-PLONE-40396
Disclosed
20 Apr, 2016
Published
20 Apr, 2016