VDB
KO

PYSEC-2026-733

Plone allows remote users to modify arbitrary portraits

Details

Plone 2.0.5, 2.1.2, and 2.5-beta1 does not restrict access to the (1) changeMemberPortrait, (2) deletePersonalPortrait, and (3) testCurrentPassword methods, which allows remote attackers to modify portraits.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / plone
Introduced in: 0 Fixed in: 2.0.6
Fix pip install --upgrade 'plone>=2.0.6'

References