Main Vulnerability Database Vulnerabilities #VU39623

Permissions, Privileges, and Access Controls in Plone - CVE-2016-4043

Published: February 24, 2017 / Updated: August 8, 2020

Vulnerability identifier: #VU39623

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2016-4043

CWE-ID: CWE-264

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Plone

Affected software:
Plone

Detailed vulnerability description

The vulnerability allows a remote privileged user to manipulate data.

Chameleon (five.pt) in Plone 5.0rc1 through 5.1a1 allows remote authenticated users to bypass Restricted Python by leveraging permissions to create or edit templates.

How to mitigate CVE-2016-4043

Install update from vendor's website.

Sources

http://www.openwall.com/lists/oss-security/2016/04/20/3
https://plone.org/security/hotfix/20160419/bypass-restricted-python

Permissions, Privileges, and Access Controls in Plone - CVE-2016-4043

Detailed vulnerability description

How to mitigate CVE-2016-4043

Sources

Please verify you're human