oss-sec mailing list archives
CVE Request: Plone Unauthorized user creation
From: Nathan Van Gheem <nathan.van.gheem () plone org>
Date: Sat, 19 Sep 2015 10:41:18 -0500
Hi, Can a CVE be assigned to this issue, please? https://plone.org/security/20150910/anonymous-is-able-to-create-plone-members It's a vulnerability that allows remote attackers to add a new member to a Plone site when registration is enabled, without acknowledgment of site administrator. Versions affected are Plone 3.x, 4.1.x, 4.2.x, <4.3.7, <5.0rc1. A hotfix has been posted for earlier versions of Plone that are no longer provided new releases. The relevant commit is: https://github.com/zopefoundation/Products.CMFCore/commit/e1d981bfa14b664317285f0f36498f4be4a23406 The vendor credits with the discovery: Maurits van Rees at Zest Software Thanks, let me know if you'd like more information. Nathan
Current thread:
- CVE Request: Plone Unauthorized user creation Nathan Van Gheem (Sep 19)
- Re: CVE Request: Plone Unauthorized user creation cve-assign (Sep 22)