Privilege escalation when plone.restapi is installed
Versions affected
- 5.2.1
- 5.2.0
Vulnerability
Sites using plone.restapi allow for users with a certain privilege level to escalate their privileges up to the highest level.
A site is only vulnerable when plone.restapi is installed in the add-ons (modules) control panel. plone.restapi is included since Plone version 5.2, but not installed by default.
Current status
Patched
Credits
Discovered by
- Lukas Graf
- Niklaus Johner
Fixed by
- Lukas Graf
- Niklaus Johner
Coordinated by
- Plone Security Team