|
Family: CGI abuses --> Category: destructive_attack
Plone Unprotected MembershipTool Methods Vulnerability Vulnerability Scan
Vulnerability Scan Summary Tries to change profiles using Plone
Detailed Explanation for this Vulnerability Test
Synopsis :
The remote web server contains a Python application that is affected
by an access control failure.
Description :
The remote host is running Plone, an open-source content manage system
written in Python.
The version of Plone installed on the remote host does not limit
access to the 'changeMemberPortrait' and 'deletePersonalPortrait'
MembershipTool methods. An unauthenticated attacker can leverage this
issue to delete member portraits or add / update portraits with
malicious content.
See also :
http://dev.plone.org/plone/ticket/5432
Solution :
Either install Hotfix 2006-04-10 1.0 or upgrade to Plone version 2.0.6
/ 2.1.3 / 2.5-beta2 when they become available.
Threat Level:
Low / CVSS Base Score : 2.3
(AV:R/AC:L/Au:NR/C:N/I:P/A:N/B:N)
Click HERE for more information and discussions on this network vulnerability scan.
|