Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sat, 19 Sep 2015 10:41:18 -0500
From: Nathan Van Gheem <nathan.van.gheem@...ne.org>
To: oss-security@...ts.openwall.com
Subject: CVE Request: Plone Unauthorized user creation

Hi,

Can a CVE be assigned to this issue, please?


https://plone.org/security/20150910/anonymous-is-able-to-create-plone-members

It's a vulnerability that allows remote attackers to add a new member to a
Plone site when registration is enabled, without acknowledgment of site
administrator. Versions affected are Plone 3.x, 4.1.x, 4.2.x, <4.3.7,
<5.0rc1. A hotfix has been posted for earlier versions of Plone that are no
longer provided new releases.

The relevant commit is:

https://github.com/zopefoundation/Products.CMFCore/commit/e1d981bfa14b664317285f0f36498f4be4a23406

The vendor credits with the discovery: Maurits van Rees at Zest Software

Thanks, let me know if you'd like more information.

Nathan

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ