Remote Code Execution via Python Scripts

Versions affected

  • 5.2.4
  • 5.2.3
  • 5.2.2
  • 5.2.1
  • 5.2.0

Vulnerability

In Python Scripts an attacker may be able to abuse the string.Formatter class to access private attributes, which could then lead to remote code execution. Only Plone 5.2 on Python 3 is vulnerable.

Current status

Fixed in AccessControl 4.3 (and 5.2), available in Zope 4.6.3 (and 5.3). Version 1.6 of the Plone hotfix contains the fix as well.

Credits

Discovered by

  • Calum Hutton

Fixed by

  • Plone Security Team

Coordinated by

  • Plone Security Team