Privilege escalation through exposed underlying API
An exposed search API allows privileged section administrators to search for content outside the area they administer.
Versions affected
- 4.3.2
- 4.3.1
- 4.3
- 4.2.7
- 4.2.6
- 4.2.5
- 4.2.4
- 4.2.3
- 4.2.2
- 4.2.1
- 4.2
- 4.1.6
- 4.1.5
- 4.1.4
- 4.1.3
- 4.1.2
- 4.1.1
- 4.1
- 4.0.10
- 4.0.9
- 4.0.8
- 4.0.7
- 4.0.5
- 4.0.4
- 4.0.3
- 4.0.2
- 4.0.1
- 4.0
- 3.3.6
- 3.3.5
- 3.3.4
- 3.3.3
- 3.3.2
- 3.3.1
- 3.3
Vulnerability
A subclass of CatalogTool from CMF wraps a subset of the search methods to add permission checks. The unwrapped methods, while not part of the official API, could be used from restricted python to access information without authorisation.
Source at:
https://github.com/plone/Products.CMFPlone/blob/b08a45bc12b1bd42411f1130a487a7a242349ea0/Products/CMFPlone/CatalogTool.py
Current status
Patched
Credits
Discovered by
- Richard Mitchell, of the Plone Security Team
Fixed by
- Matthew Wilkes, of the Plone Security Team
Coordinated by
- Plone Security Team