Safety vulnerability ID: 35643
The information on this page was manually curated by our Cybersecurity Intelligence Team.
Plone 3.3.0 through 3.3.6, 4.0.0 through 4.0.10, 4.1.0 through 4.1.6, 4.2.0 through 4.2.7, 4.3.0 through 4.3.6, and 5.0rc1 allows remote attackers to add a new member to a Plone site with registration enabled, without acknowledgment of site administrator.
https://plone.org/security/hotfix/20150910/anonymous-is-able-to-create-plone-members
Latest version: 6.1.1
The Plone Content Management System
Plone 3.3.0 through 3.3.6, 4.0.0 through 4.0.10, 4.1.0 through 4.1.6, 4.2.0 through 4.2.7, 4.3.0 through 4.3.6, and 5.0rc1 allows remote attackers to add a new member to a Plone site with registration enabled, without acknowledgment of site administrator.
MLIST:[oss-security] 20150922 Re: CVE Request: Plone Unauthorized user creation: http://www.openwall.com/lists/oss-security/2015/09/22/13
CONFIRM:https://bugzilla.redhat.com/show_bug.cgi?id=1264791: https://bugzilla.redhat.com/show_bug.cgi?id=1264791
CONFIRM:https://github.com/zopefoundation/Products.CMFCore/commit/e1d981bfa14b664317285f0f36498f4be4a23406: https://github.com/zopefoundation/Products.CMFCore/commit/e1d981bfa14b664317285f0f36498f4be4a23406
CONFIRM:https://plone.org/security/hotfix/20150910/anonymous-is-able-to-create-plone-members: https://plone.org/security/hotfix/20150910/anonymous-is-able-to-create-plone-members
Scan your Python project for dependency vulnerabilities in two minutes
Scan your application