Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 10 Dec 2013 14:58:37 +0000
From: Matthew Wilkes <>
Subject: CVE request for Plone

Hello all,

I'd like to request some CVEs for Plone as we have a hotfix release today.

Filesystem path information leak

First up, we have a vulnerability that allows people to find the install 
path of Plone on a server. I can't actually think of any attacks that 
happen with this, but we had a CVE assigned for it before so I'm 
requesting another.

Details, including source links are at:

Privilege escalation through exposed underlying API

Plone's searching infrastructure is based on CMF's, which is based on 
Zope's. Plone wraps the search API with additional filters for 
permissions and expired content. One of the methods that allows 
searching wasn't so wrapped, so people who can write untrusted Python 
can gain access to content they aren't authorised to. In addition, this 
can accidentally expose information.

Details, including source links are at:

In addition, we are releasing two patches to vulnerabilities in Zope 
today. Can somebody advise if these should be merged?

Reflexive XSS in browser_id_manager

Zope's session infrastructure includes a method for encoding URLs, which 
is accessible through the web. By passing HTML into this method a 
reflexive XSS attack can be achieved.

Details, including source links are at:

Reflexive XSS in OFS.Image

Zope's image objects include a method for generating tags, which allow 
for arbitrary classes to be included. This method is accessible through 
the web and these classes are not sanitised, so the image tag can be 
broken out of and arbitrary HTML included.

Details, including source links are at:

Thanks for your attention,


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.