Remote Code Execution via Python Scripts
Versions affected
- 5.2.4
- 5.2.3
- 5.2.2
- 5.2.1
- 5.2.0
Vulnerability
In Python Scripts an attacker may be able to abuse the string.Formatter class to access private attributes, which could then lead to remote code execution. Only Plone 5.2 on Python 3 is vulnerable.
Current status
Fixed in AccessControl 4.3 (and 5.2), available in Zope 4.6.3 (and 5.3).
Version 1.6 of the Plone hotfix contains the fix as well.
Credits
Discovered by
- Calum Hutton
Fixed by
- Plone Security Team
Coordinated by
- Plone Security Team