Description

A vulnerability exists in Zope 2.12.x and Zope 2.13.x allows execution of arbitrary code by anonymous users. This is a severe vulnerability that allows an unauthenticated attacker to employ a carefully crafted web request to execute arbitrary commands with the privileges of the Zope/Plone service.

Versions Affected: Plone 4.0 (through 4.0.9); Plone 4.1; Plone 4.2 (a1 and a2); Zope 2.12.x and Zope 2.13.x.
Versions Not Affected: Versions of Plone that use Zope other than Zope 2.12.x and Zope 2.13.x.

Remediation

Apply the Plone Hotfix 20110928 (Oct 04, 2011).

References

Security vulnerability announcement: 20110928 - Arbitrary Code Execution

Plone and Zope Remote Command Execution PoC

Plone Hotfix 20110928 (Oct 04, 2011)

Related Vulnerabilities

WordPress Plugin Quotes and Tips by BestWebSoft Cross-Site Scripting (1.19)

WebLogic CVE-2019-2650 Vulnerability (CVE-2019-2650)

Oracle Database Server CVE-2010-2389 Vulnerability (CVE-2010-2389)

Dolibarr Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2018-19799)

Joomla Credentials Management Errors Vulnerability (CVE-2016-9081)

Severity

High

Classification

CVE-2011-3587 CWE-78 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Tags

Code Execution Missing Update