—

PYSEC-2014-53

Details

Multiple unspecified vulnerabilities in (1) dataitems.py, (2) get.py, and (3) traverseName.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 allow remote authenticated users with administrator access to a subtree to access nodes above the subtree via unknown vectors.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / plone

Introduced in: 2.1 Fixed in: 4.1.1

Fix pip install --upgrade 'plone>=4.1.1'

References

http://seclists.org/oss-sec/2013/q3/261 [WEB]
http://plone.org/products/plone/security/advisories/20130618-announcement [ADVISORY]
http://plone.org/products/plone-hotfix/releases/20130618 [WEB]
https://bugzilla.redhat.com/show_bug.cgi?id=978450 [REPORT]