Bypass Restricted Python

A user who can create or edit templates can bypass Restricted Python.

Versions affected

  • 5.1a1
  • 5.0.4
  • 5.0.3
  • 5.0.2
  • 5.0.1
  • 5.0
  • 5.0rc3
  • 5.0rc2
  • 5.0rc1

Vulnerability

This vulnerability should only affect site administrators who have ZMI access, or when you gave users permission to edit PloneFormGen templates. Only Chameleon (five.pt) is affected. This package is used by default in Plone 5, and can be added in Plone 4.

Current status

Patched

Credits

Discovered by

  • Fred van Dijk and Maurits van Rees

Fixed by

  • Plone Security Team

Coordinated by

  • Plone Security Team