Arbitrary code execution

A vulnerability in Zope 2.12.x and Zope 2.13.x that allows execution of arbitrary code by anonymous users.

Versions affected

4.1
4.0.9
4.0.7
4.0.5
4.0.4
4.0.3
4.0.2
4.0.1
4.0

Vulnerability

Unspecified vulnerability in Zope 2.12.x and 2.13.x, as used in Plone 4.0.x through 4.0.9, 4.1, and 4.2 through 4.2a2, allows remote attackers to execute arbitrary commands via vectors related to the p_ class in OFS/misc_.py and the use of Python modules.

Current status

Credits

Discovered by

Plone Security Team

Fixed by

Plone Security Team

Coordinated by

Plone Security Team

Contact

You can contact the security team confidentially by email at security@plone.org

More information

CVE Identifier

CVE-2011-3587

Type

Severity

7.5 – high
Vector	Network
Complexity	Low
Authentication	None
Confidentiality	Partial
Integrity	Partial
Availability	Partial

Timeline

Vulnerability reported: 2011-09-13
Hotfix released: 2011-10-04