Bypass Restricted Python

A user who can create or edit templates can bypass Restricted Python.

Versions affected

5.1a1
5.0.4
5.0.3
5.0.2
5.0.1
5.0
5.0rc3
5.0rc2
5.0rc1

Vulnerability

This vulnerability should only affect site administrators who have ZMI access, or when you gave users permission to edit PloneFormGen templates. Only Chameleon (five.pt) is affected. This package is used by default in Plone 5, and can be added in Plone 4.

Current status

Patched

Credits

Discovered by

Fred van Dijk and Maurits van Rees

Fixed by

Plone Security Team

Coordinated by

Plone Security Team

Contact

You can contact the security team confidentially by email at security@plone.org

More information

CVE Identifier

CVE-2016-4043

Type

Unvalidated Input

Severity

5.8 – medium
Vector	Network
Complexity	High
Authentication	Multiple
Confidentiality	Partial
Integrity	Partial
Availability	Complete

Timeline

Vulnerability reported: 2016-01-08
Hotfix released: 2016-04-19