—

PYSEC-2007-4

Details

Plone 2.5 through 2.5.4 and 3.0 through 3.0.2 allows remote attackers to execute arbitrary Python code via network data containing pickled objects for the (1) statusmessages or (2) linkintegrity module, which the module unpickles and executes.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / plone

Introduced in: 2.5 Fixed in: 2.5.5

Fix pip install --upgrade 'plone>=2.5.5'

PyPI / plone

Introduced in: 3.0 Fixed in: 3.0.3

Fix pip install --upgrade 'plone>=3.0.3'

References

http://plone.org/about/security/advisories/cve-2007-5741 [ADVISORY]
http://www.securityfocus.com/bid/26354 [FIX]
http://secunia.com/advisories/27530 [ADVISORY]
http://www.debian.org/security/2007/dsa-1405 [ADVISORY]
http://secunia.com/advisories/27559 [ADVISORY]
http://osvdb.org/42072 [WEB]
http://osvdb.org/42071 [WEB]
http://www.vupen.com/english/advisories/2007/3754 [ADVISORY]
https://exchange.xforce.ibmcloud.com/vulnerabilities/38288 [WEB]
http://www.securityfocus.com/archive/1/483343/100/0/threaded [WEB]