MEDIUM

GHSA-jcwh-rj6j-vm75

Plone allows remote users to modify arbitrary portraits

상세

Plone 2.0.5, 2.1.2, and 2.5-beta1 does not restrict access to the (1) changeMemberPortrait, (2) deletePersonalPortrait, and (3) testCurrentPassword methods, which allows remote attackers to modify portraits.

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

PyPI / plone

최초 영향 버전: 0 수정 버전: 2.0.6

수정 pip install --upgrade 'plone>=2.0.6'

PyPI / plone

최초 영향 버전: 2.1.0

No fixed version published yet for plone (pip). Pin to a known-safe version or switch to an alternative.

PyPI / plone

No fixed version published yet for plone (pip). Pin to a known-safe version or switch to an alternative.

참고

https://nvd.nist.gov/vuln/detail/CVE-2006-1711 [ADVISORY]
https://exchange.xforce.ibmcloud.com/vulnerabilities/25781 [WEB]
https://github.com/plone/Plone [PACKAGE]
https://web.archive.org/web/20060412111111/https://dev.plone.org/plone/ticket/5432 [WEB]
https://web.archive.org/web/20060422195724/http://www.securityfocus.com/bid/17484 [WEB]
http://www.debian.org/security/2006/dsa-1032 [WEB]