Description
A vulnerability exists in Zope 2.12.x and Zope 2.13.x allows execution of arbitrary code by anonymous users. This is a severe vulnerability that allows an unauthenticated attacker to employ a carefully crafted web request to execute arbitrary commands with the privileges of the Zope/Plone service.
Versions Affected: Plone 4.0 (through 4.0.9); Plone 4.1; Plone 4.2 (a1 and a2); Zope 2.12.x and Zope 2.13.x.
Versions Not Affected: Versions of Plone that use Zope other than Zope 2.12.x and Zope 2.13.x.
Remediation
Apply the Plone Hotfix 20110928 (Oct 04, 2011).
References
Security vulnerability announcement: 20110928 - Arbitrary Code Execution
Related Vulnerabilities
MediaWiki Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2013-4301)
SharePoint Improper Input Validation Vulnerability (CVE-2019-1296)
WordPress Plugin Comments-wpDiscuz Cross-Site Request Forgery (7.3.3)
WordPress Plugin Quiz and Survey Master (QSM)-Easy Quiz and Survey Maker SQL Injection (7.3.4)
WordPress Plugin GDPR CCPA Compliance Support PHP Object Injection (2.3)