mailing list archives
Re: CVE Request -- Zope/Plone -- Unspecified vulnerability in Zope v2.12.x and Zope v2.13.x allowing arbitrary code execution
From: Josh Bressers <bressers () redhat com>
Date: Fri, 30 Sep 2011 12:04:54 -0400 (EDT)
----- Original Message -----
Hello Josh, Steve, vendors,
Plone upstream has published a pre-announcement about a security
flaw, present in Zope v2.12.x and Zope v2.13.x, which could allow
execution of arbitrary code by anonymous users. An authenticated
attacker could provide a specially-crafted web page, which once
visited by an unsuspecting Zope user would lead to arbitrary commands
execution with the privileges of the Zope/Plone service.
Note: The vendor announced the final version of the advisory and
the patch to be available at 2011-10-04 15:00 UTC at the
Please use CVE-2011-3587 for this.