Privilege escalation

This is an escalation of privileges attack which makes it possible for an authenticated Plone user to edit the properties of other users, bypassing authorization checks.

Versions affected

4.0.5
4.0.4
4.0.3
4.0.2
4.0.1
4.1

Vulnerability

Current status

Credits

Discovered by

Unknown (3rd Party)

Fixed by

Plone Security Team

Coordinated by

Plone Security Team

Contact

You can contact the security team confidentially by email at security@plone.org

More information

CVE Identifier

CVE-2011-1950

Type

Severity

6.0 – medium
Vector	Network
Complexity	Medium
Authentication	Single
Confidentiality	Partial
Integrity	Partial
Availability	Partial

Timeline

Vulnerability reported: 2011-05-26
Hotfix released: 2011-06-01