MEDIUM

GHSA-jcwh-rj6j-vm75

Plone allows remote users to modify arbitrary portraits

Details

Plone 2.0.5, 2.1.2, and 2.5-beta1 does not restrict access to the (1) changeMemberPortrait, (2) deletePersonalPortrait, and (3) testCurrentPassword methods, which allows remote attackers to modify portraits.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / plone

Introduced in: 0 Fixed in: 2.0.6

Fix pip install --upgrade 'plone>=2.0.6'

PyPI / plone

Introduced in: 2.1.0

No fixed version published yet for plone (pip). Pin to a known-safe version or switch to an alternative.

PyPI / plone

No fixed version published yet for plone (pip). Pin to a known-safe version or switch to an alternative.

References

https://nvd.nist.gov/vuln/detail/CVE-2006-1711 [ADVISORY]
https://exchange.xforce.ibmcloud.com/vulnerabilities/25781 [WEB]
https://github.com/plone/Plone [PACKAGE]
https://web.archive.org/web/20060412111111/https://dev.plone.org/plone/ticket/5432 [WEB]
https://web.archive.org/web/20060422195724/http://www.securityfocus.com/bid/17484 [WEB]
http://www.debian.org/security/2006/dsa-1032 [WEB]