From: Announcement of P. r. a. security-r. n. R. s. f. a. P. d. a. s. admins.
<plo...@li...> - 2011-06-01 18:48:05
|
The Plone Security team released a new hotfix this morning, "Plone Hotfix 20110531," addressing 4 vulnerabilities. Please take the time as soon as possible to install this hotfix on any sites for which you are responsible. Installation instructions for the hotfix can be found at http://plone.org/products/plone-hotfix/releases/20110531 The hotfix addresses the following 4 vulnerabilities: 1. Reflected XSS attack: A crafted URL can display arbitrary HTML output. This is a vulnerability in CMFPlone affecting all versions of Plone. Thanks to S. Streichsbier of SEC Consult for the responsible disclosure. See CVE-2011-1948 for details. http://plone.org/products/plone/security/advisories/CVE-2011-1948 2. Persistent XSS attack: Certain valid HTML will allow Javascript filtering to be bypassed. This is a vulnerability in Products.PortalTransforms affecting all versions of Plone using it, including 2.1 through 4.1. Thanks to Daniel Berlin and Dan Bentley both of Google and Brian Peters an independent researcher, for responsibly disclosing this independently of each other. See CVE-2011-1949 for details. http://plone.org/products/plone/security/advisories/CVE-2011-1949 3. Unauthorized data changes: One form allows users to edit the properties of other users. This is a vulnerability in plone.app.users affecting Plone 4.0 and 4.1. See CVE-2011-1950 for details. Please note: This vulnerability was disclosed prior to release of the hotfix, and it is highly recommended that site administrators and privileged users reset their passwords. http://plone.org/products/plone/security/advisories/CVE-2011-1950 4. Denial of service: A user can prevent other users from logging in. This is a vulnerability in Products.PluggableAuthService affecting all versions of Plone using it, including 2.5 through 4.1. Thanks to Alan Hoey of Team Rubber for the responsible disclosure. See PAS ticket #789858 for details. https://bugs.launchpad.net/zope-pas/+bug/789858 The hotfix is supported on Plone 3 and 4. It is also known to work on Plone 2.5, and may work on older versions of Plone. The fixes included will be incorporated into subsequent releases of Plone, so Plone 4.0.7, 4.1rc3, and greater should not require this hotfix. We would also appreciate your assistance in spreading word of this hotfix to other Plone site administrators who may not have gotten the word yet. thanks, David Glick on behalf of the Plone Security team ---------- David Glick Web Developer dav...@gr... 206.286.1235x32 Groundwire: You Are Connected http://groundwire.org Online tools and strategies for the environmental movement. Sign up for Groundwire News! http://groundwire.org/email-capture |