oss-sec mailing list archives

CVE Request -- Zope/Plone -- Unspecified vulnerability in Zope v2.12.x and Zope v2.13.x allowing arbitrary code execution

From: Jan Lieskovsky <jlieskov () redhat com>
Date: Thu, 29 Sep 2011 17:59:38 +0200

Hello Josh, Steve, vendors,

  Plone upstream has published a pre-announcement about a security
flaw, present in Zope v2.12.x and Zope v2.13.x, which could allow
execution of arbitrary code by anonymous users. An authenticated
attacker could provide a specially-crafted web page, which once
visited by an unsuspecting Zope user would lead to arbitrary commands
execution with the privileges of the Zope/Plone service.

References:
[1] http://plone.org/products/plone/security/advisories/20110928
[2] http://secunia.com/advisories/46221/
[3] https://bugzilla.redhat.com/show_bug.cgi?id=742297

Note: The vendor announced the final version of the advisory and
      the patch to be available at 2011-10-04 15:00 UTC at the
      following location:
      [4] http://plone.org/products/plone/security/advisories/20110928

Could you allocate a CVE id for this?

Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

Current thread:

CVE Request -- Zope/Plone -- Unspecified vulnerability in Zope v2.12.x and Zope v2.13.x allowing arbitrary code execution Jan Lieskovsky (Sep 29)
- Re: CVE Request -- Zope/Plone -- Unspecified vulnerability in Zope v2.12.x and Zope v2.13.x allowing arbitrary code execution Josh Bressers (Sep 30)