—
PYSEC-2026-733
Plone allows remote users to modify arbitrary portraits
Details
Plone 2.0.5, 2.1.2, and 2.5-beta1 does not restrict access to the (1) changeMemberPortrait, (2) deletePersonalPortrait, and (3) testCurrentPassword methods, which allows remote attackers to modify portraits.
Are you affected?
Enter the version of the package you're using.
Affected packages
References
- https://nvd.nist.gov/vuln/detail/CVE-2006-1711 [ADVISORY]
- https://exchange.xforce.ibmcloud.com/vulnerabilities/25781 [WEB]
- https://github.com/plone/Plone [PACKAGE]
- https://web.archive.org/web/20060412111111/https://dev.plone.org/plone/ticket/5432 [WEB]
- https://web.archive.org/web/20060422195724/http://www.securityfocus.com/bid/17484 [WEB]
- http://www.debian.org/security/2006/dsa-1032 [WEB]
- https://pypi.org/project/plone [PACKAGE]
- https://github.com/advisories/GHSA-jcwh-rj6j-vm75 [ADVISORY]