Input validation error in Plone

#VU37717 Input validation error in Plone

Published: 2018-01-03 | Updated: 2020-08-08

Vulnerability identifier: #VU37717

Vulnerability risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-1000483

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Plone
Web applications / CMS

Vendor: Plone

Description

The vulnerability allows a remote authenticated user to gain access to sensitive information.

Accessing private content via str.format in through-the-web templates and scripts in Plone 2.5-5.1rc1. This improves an earlier hotfix. Since the format method was introduced in Python 2.6, this part of the hotfix is only relevant for Plone 4 and 5.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Plone: 2.5.5 - 5.1

External links
http://plone.org/security/hotfix/20171128/sandbox-escape

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Plone