[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE Request -- Zope/Plone -- Unspecified vulnerability in Zope v2.12.x and Zope v
From:       Josh Bressers <bressers () redhat ! com>
Date:       2011-09-30 16:04:54
Message-ID: cec6ff3d-0bf8-4e07-9baa-0da4e1455238 () zmail01 ! collab ! prod ! int ! phx2 ! redhat ! com
[Download RAW message or body]



----- Original Message -----
> Hello Josh, Steve, vendors,
> 
>    Plone upstream has published a pre-announcement about a security
> flaw, present in Zope v2.12.x and Zope v2.13.x, which could allow
> execution of arbitrary code by anonymous users. An authenticated
> attacker could provide a specially-crafted web page, which once
> visited by an unsuspecting Zope user would lead to arbitrary commands
> execution with the privileges of the Zope/Plone service.
> 
> References:
> [1] http://plone.org/products/plone/security/advisories/20110928
> [2] http://secunia.com/advisories/46221/
> [3] https://bugzilla.redhat.com/show_bug.cgi?id=742297
> 
> Note: The vendor announced the final version of the advisory and
>        the patch to be available at 2011-10-04 15:00 UTC at the
>        following location:
>        [4]
>        http://plone.org/products/plone/security/advisories/20110928
> 

Please use CVE-2011-3587 for this.

Thanks.

-- 
    JB
[prev in list] [next in list] [prev in thread] [next in thread]