Filesystem information leak

A vulnerability that allows remote attackers to obtain information on files on the server

Versions affected

  • 5.1a1
  • 5.0.6
  • 5.0.5
  • 5.0.4
  • 5.0.3
  • 5.0.2
  • 5.0.1
  • 5.0
  • 5.0rc3
  • 5.0rc2
  • 5.0rc1
  • 4.3.11
  • 4.3.10
  • 4.3.9
  • 4.3.8
  • 4.3.7
  • 4.3.6
  • 4.3.5
  • 4.3.4
  • 4.3.3
  • 4.3.2
  • 4.3.1
  • 4.3
  • 4.2.7
  • 4.2.6
  • 4.2.5
  • 4.2.4
  • 4.2.3
  • 4.2.2
  • 4.2.1
  • 4.2

Vulnerability

By using relative paths and guessing locations on a server Plone is installed on, an attacker can read data from a target server that the process running plone has permission to read. The attacker needs administrator privileges on the Plone site to perform this attack.

Current status

Patched

Credits

Discovered by

  • Sebastian Perez

Fixed by

  • Plone Security Team

Coordinated by

  • Plone Security Team