Restricted Python injection

Anonymous users can cause an arbitrary Python statement to be run when the admin interface is accessed. No breakout of the in-built Python sandbox is possible, but it will run with the privileges of that admin user.

Versions affected

4.2.2
4.2.1
4.2
4.1.6
4.1.5
4.1.4
4.1.3
4.1.2
4.1.1
4.1
4.0.10
4.0.9
4.0.8
4.0.7
4.0.5
4.0.4
4.0.3
4.0.2
4.0.1
4.0
3.3.6
3.3.5
3.3.4
3.3.3
3.3.2

Vulnerability

This allows the injection of arbitrary code that will be run with manager or site admin permissions the next time the control panel is accessed.

Current status

Credits

Discovered by

Plone Security Team

Fixed by

Plone Security Team

Coordinated by

Plone Security Team

Contact

You can contact the security team confidentially by email at security@plone.org

More information

CVE Identifier

CVE-2012-5485

Type

Severity

7.8 – high
Vector	Network
Complexity	Medium
Authentication	None
Confidentiality	None
Integrity	Complete
Availability	Partial

Timeline

Vulnerability reported:
Hotfix released: