For a free content management system written in Python using the Zope Application Server, patches with elimination (CVE identifiers have not yet been assigned). Issues affect all current releases of Plone, including the release formed a few days ago . The issues are planned to be fixed in future releases of Plone 4.3.20, 5.1.7, and 5.2.2, until which it is suggested to use .
Identified vulnerabilities (details not yet disclosed):
- Privilege escalation via Rest API manipulation (appears only when plone.restapi is included);
- SQL code substitution due to insufficient escaping of SQL constructs in DTML and objects for connecting to the DBMS (the problem is specific to and manifests itself in other applications based on it);
- Ability to rewrite content through manipulations with the PUT method without having write permissions;
- Open redirect in login form;
- Ability to pass malicious external links bypassing the isURLInPortal check;
- Failure of the password strength check in some cases;
- Cross-site scripting (XSS) through code substitution in the header field.
Source: opennet.ru