Kwinkqubo yolawulo lomxholo wasimahla , ebhalwe kwiPython usebenzisa iseva yesicelo seZope, amabala anokupheliswa (Izazisi ze-CVE azikabelwa). Iingxaki zichaphazela konke ukukhutshwa kwePlone yangoku, kubandakanywa nokukhululwa okukhutshwe kwiintsuku ezimbalwa ezidlulileyo . Imiba icwangciswe ukuba ilungiswe kukhupho lwexesha elizayo lwePlone 4.3.20, 5.1.7 kunye no-5.2.2, phambi kokupapashwa ekucetyiswa ukuba kusetyenziswe. .
Ubuthathaka obuchongiweyo (iinkcukacha azikachazwa):
- Ukunyuswa kwamalungelo ngokuguqulwa kwe-API yokuphumla (ivela kuphela xa i-plone.restapi yenziwe);
- Ukutshintshwa kwekhowudi yeSQL ngenxa yokungonelanga ukubaleka kolwakhiwo lweSQL kwiDTML kunye nezinto zokuqhagamshela kwiDBMS (ingxaki ikhethekileyo kwaye ivela kwezinye izicelo ezisekelwe kuyo);
- Ukukwazi ukubhala kwakhona umxholo ngokuguqulwa kwendlela ye-PUT ngaphandle kokuba namalungelo okubhala;
- Vula ukuqondisa kwakhona kwifomu yokungena;
- Ukubanakho ukuthumela amakhonkco angalunganga angaphandle ngokugqitha i-isURLInPortal khangela;
- Ukukhangela amandla okugqithisa igama lokugqitha kuyasilela kwezinye iimeko;
- I-Cross-site scripting (XSS) ngokutshintshwa kwekhowudi kwindawo yesihloko.
umthombo: opennet.ru