SB2017022408 - Multiple vulnerabilities in Plone

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2016-4041)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

Plone 4.0 through 5.1a1 does not have security declarations for Dexterity content-related WebDAV requests, which allows remote attackers to gain webdav access via unspecified vectors.

2) Information disclosure (CVE-ID: CVE-2016-4042)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

Plone 3.3 through 5.1a1 allows remote attackers to obtain information about the ID of sensitive content via unspecified vectors.

Remediation

Install update from vendor's website.

References

• http://www.openwall.com/lists/oss-security/2016/04/20/1
• https://plone.org/security/hotfix/20160419/privilege-escalation-in-webdav
• http://www.openwall.com/lists/oss-security/2016/04/20/2
• https://plone.org/security/hotfix/20160419/unauthorized-disclosure-of-site-content