Don tsarin sarrafa abun ciki kyauta , an rubuta da Python ta amfani da sabar aikace-aikacen Zope, faci tare da kawarwa (Ba a riga an sanya masu gano na CVE ba). Matsalolin sun shafi duk fitowar Plone na yanzu, gami da sakin da aka saki kwanakin baya . Ana shirin gyara batutuwan a cikin fitowar Plone 4.3.20, 5.1.7 da 5.2.2 na gaba, kafin buga su wanda aka ba da shawarar yin amfani da su. .
Abubuwan da aka gano (ba a bayyana cikakkun bayanai ba):
- Haɓaka gata ta hanyar yin amfani da Rest API (yana bayyana ne kawai lokacin da aka kunna plone.restapi);
- Sauya lambar SQL saboda rashin isassun tserewa na gina SQL a cikin DTML da abubuwa don haɗawa zuwa DBMS (matsalar ta keɓance ga kuma ya bayyana a cikin wasu aikace-aikace dangane da shi;
- Ikon sake rubuta abun ciki ta hanyar magudi tare da hanyar PUT ba tare da samun haƙƙin rubutu ba;
- Buɗe turawa a cikin hanyar shiga;
- Yiwuwar watsa munanan hanyoyin haɗin waje ta ketare rajistan tashar tashar isURLIn;
- Binciken ƙarfin kalmar wucewa ya gaza a wasu lokuta;
- Rubutun giciye (XSS) ta hanyar sauya lambar a cikin filin take.
source: budenet.ru