Remote Code Execution via traversal in expressions with aliases
Versions affected
- 5.2.4
- 5.2.3
- 5.2.2
- 5.2.1
- 5.2.0
- 5.1rc2
- 5.1rc1
- 5.1b4
- 5.1b3
- 5.1b2
- 5.1a2
- 5.1a1
- 5.1.7
- 5.1.6
- 5.1.5
- 5.1.4
- 5.1.2
- 5.1.1
- 5.1
- 5.0rc3
- 5.0rc2
- 5.0rc1
- 5.0.9
- 5.0.8
- 5.0.7
- 5.0.6
- 5.0.5
- 5.0.4
- 5.0.3
- 5.0.2
- 5.0.10
- 5.0.1
- 5.0
- 4.3.9
- 4.3.8
- 4.3.7
- 4.3.6
- 4.3.5
- 4.3.4
- 4.3.3
- 4.3.20
- 4.3.2
- 4.3.19
- 4.3.18
- 4.3.17
- 4.3.15
- 4.3.14
- 4.3.12
- 4.3.11
- 4.3.10
- 4.3.1
- 4.3
Vulnerability
Most Python modules are not available for using in expressions that you can add through-the-web, for example in the parameters of a Diazo theme. This is mostly to avoid file system access, for example via the 'os' module. But some of the untrusted modules are available indirectly.
By default, you need to have the Manager role to exploit this.
Current status
Hotfixed. Fix released in Zope 4.6 and 5.2.
Credits
Discovered by
- David Miller
Fixed by
- Plone Security Team
Coordinated by
- Plone Security Team