Permissions, Privileges, and Access Controls in Plone

#VU41731 Permissions, Privileges, and Access Controls in Plone

Published: 2014-05-02 | Updated: 2020-08-10

Vulnerability identifier: #VU41731

Vulnerability risk: Low

CVSSv3.1: 2.3 [CVSS:3.1/AV:N/AC:L/PR:/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2013-7061

CWE-ID: CWE-264

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Plone
Web applications / CMS

Vendor: Plone

Description

The vulnerability allows a remote #AU# to read and manipulate data.

Products/CMFPlone/CatalogTool.py in Plone 3.3 through 4.3.2 allows remote administrators to bypass restrictions and obtain sensitive information via an unspecified search API.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Plone: 3.3 - 4.3.2

External links
http://www.openwall.com/lists/oss-security/2013/12/10/15
http://www.openwall.com/lists/oss-security/2013/12/12/3
http://plone.org/security/20131210/catalogue-exposure

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Plone