HIGH

GHSA-pwgm-jvqv-6v8p

Plone anonymous access to sub-objects in CMFEditions where KwAsAttributes classes were publishable

Details

The CMFEditions component 2.x in Plone 4.0.x through 4.0.9, 4.1, and 4.2 through 4.2a2 does not prevent the KwAsAttributes classes from being publishable, which allows remote attackers to access sub-objects via unspecified vectors, a different vulnerability than CVE-2011-3587.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / plone

Introduced in: 4.0 Fixed in: 4.0.10

Fix pip install --upgrade 'plone>=4.0.10'

PyPI / plone

Introduced in: 4.1 Fixed in: 4.1.1

Fix pip install --upgrade 'plone>=4.1.1'

PyPI / plone

Introduced in: 4.2a1 Fixed in: 4.2a3

Fix pip install --upgrade 'plone>=4.2a3'

References

https://nvd.nist.gov/vuln/detail/CVE-2011-4030 [ADVISORY]
https://github.com/plone/Plone [PACKAGE]
https://github.com/pypa/advisory-database/tree/main/vulns/products-plonehotfix20110928/PYSEC-2011-27.yaml [WEB]
http://plone.org/products/plone-hotfix/releases/20110928 [WEB]
http://plone.org/products/plone-hotfix/releases/20110928/PloneHotfix20110928-1.0.zip [WEB]
http://pypi.python.org/pypi/Products.PloneHotfix20110928/1.0 [WEB]