SB2017092508 - Multiple vulnerabilities in Plone

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Improper access control (CVE-ID: CVE-2015-7315)

The vulnerability allows a remote non-authenticated attacker to manipulate data.

Plone 3.3.0 through 3.3.6, 4.0.0 through 4.0.10, 4.1.0 through 4.1.6, 4.2.0 through 4.2.7, 4.3.0 through 4.3.6, and 5.0rc1 allows remote attackers to add a new member to a Plone site with registration enabled, without acknowledgment of site administrator.

2) Cross-site scripting (CVE-ID: CVE-2015-7316)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data in Plone 3. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Remediation

Install update from vendor's website.

References

• http://www.openwall.com/lists/oss-security/2015/09/22/13
• https://bugzilla.redhat.com/show_bug.cgi?id=1264791
• https://github.com/zopefoundation/Products.CMFCore/commit/e1d981bfa14b664317285f0f36498f4be4a23406
• https://plone.org/security/hotfix/20150910/anonymous-is-able-to-create-plone-members
• http://www.openwall.com/lists/oss-security/2015/09/22/14
• https://bugzilla.redhat.com/show_bug.cgi?id=1264788
• https://github.com/plone/Products.CMFPlone/commit/3da710a2cd68587f0bf34f2e7ea1167d6eeee087
• https://plone.org/security/hotfix/20150910/non-persistent-xss-in-plone