Anonymous is able to create Plone members

A vulnerability that allows remote attackers to add a new member to a Plone site with registration enabled, without acknowledgment of site administrator.

Versions affected

4.3.6
4.3.5
4.3.4
4.3.3
4.3.2
4.3.1
4.3
4.2.7
4.2.6
4.2.5
4.2.4
4.2.3
4.2.2
4.2.1
4.2
4.1.6
4.1.5
4.1.4
4.1.3
4.1.2
4.1.1
4.1
4.0.10
4.0.9
4.0.8
4.0.7
4.0.5
4.0.4
4.0.3
4.0.2
4.0.1
4.0
3.3.6
3.3.5
3.3.4
3.3.3
3.3.2
3.3.1
3.3
5.0rc1

Vulnerability

Current status

Patched

Credits

Discovered by

Maurits van Rees at Zest Software

Fixed by

Nathan Van Gheem, of the Plone Security Team

Coordinated by

Plone Security Team

Contact

You can contact the security team confidentially by email at security@plone.org

More information

CVE Identifier

CVE-2015-7315

Type

Authorization Vulnerability‎

Severity

6.8 – medium
Vector	Network
Complexity	Medium
Authentication	None
Confidentiality	Partial
Integrity	Partial
Availability	Partial

Timeline

Vulnerability reported: 2015-09-10
Hotfix released: 2015-09-10