CVE-2020-7941

Advisory

A privilege escalation issue in plone.app.contenttypes in Plone 4.3 through 5.2.1 allows users to PUT (overwrite) some content without needing write permission. See: CVE-2020-7941.

Affected package

Affected versions

Fixed versions

Vulnerability changelog

------------------

- create a TinyMCE template for Board meeting minutes
[cdw9]

- temporarily remove releasesecurityinfo until we can deal with existing
content types by the same name on the live site
[tkimnguyen]

- merge GSoC 2017 work! ploneorg.addonlisting and ploneorg.releasesecurityinfo
[pavithirakc, loechel, tkimnguyen]

- add uwosh.pfg.d2c
[tkimnguyen]

- change sponsors page to display sponsor logos based on FoundationSponsor object queries
[tkimnguyen]

- change home page to display premium sponsor logos taken from new
FoundationSponsor objects instead of the logo images
[tkimnguyen]

- make some Sponsor fields optional, remove Ammado payment method
[tkimnguyen]

- new Foundation Sponsor content type, workflow, role, permissions, view
[tkimnguyen]

- Allow viewing of Foundation Member merit if have View Details permission
[tkimnguyen]

- Fix workflow for members to make renewal easier, and hook
up broken transitions
[cdw9]

Resources

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7941
• https://plone.org/security/hotfix/20200121
• https://plone.org/security/hotfix/20200121/privilege-escalation-for-overwriting-content
• https://www.openwall.com/lists/oss-security/2020/01/22/1
• http://www.openwall.com/lists/oss-security/2020/01/24/1