Bypass Restricted Python
A user who can create or edit templates can bypass Restricted Python.
Versions affected
- 5.1a1
- 5.0.4
- 5.0.3
- 5.0.2
- 5.0.1
- 5.0
- 5.0rc3
- 5.0rc2
- 5.0rc1
Vulnerability
This vulnerability should only affect site administrators who have ZMI access, or when you gave users permission to edit PloneFormGen templates. Only Chameleon (five.pt) is affected. This package is used by default in Plone 5, and can be added in Plone 4.
Current status
Patched
Credits
Discovered by
- Fred van Dijk and Maurits van Rees
Fixed by
- Plone Security Team
Coordinated by
- Plone Security Team