Security vulnerability: 20151208 — Plone CMS: Open Source Content Management

classic Classic list List threaded Threaded
1 message Options
Announce mailing list Announce mailing list
Reply | Threaded
Open this post in threaded view

Security vulnerability: 20151208 — Plone CMS: Open Source Content Management

Security vulnerability: 20151208

Patches to Plone for unauthorized disclosure of registered user information

Versions Affected: All current Plone versions. 
Versions Not Affected: None.

Nature of vulnerability: Allows unauthorized disclosure of registered user information

The patch can be added to buildouts as Products.PloneHotfix20151208 (available from or downloaded from

This patch is compatible with all supported Plone versions (i.e. Plone 4, Plone 5). It may work on earlier versions of Plone, but as these are officially unsupported they have not undergone the same level of testing with the patch.


Full installation instructions are available on the HotFix release page.

Extra Help

If you do not have in-house server administrators or a website maintenance service agreement, you can find consulting companies at and .

There is also free support available online via the Plone IRC channel and the Plone community forum.


The Plone Security Team is grateful to Giovanni Monteiro Calanzani and Glauter de Sousa Vilela, who reported the vulnerability.

Questions and Answers

Q. What is involved in applying the patch? 
A. Patches are made available as tarball-style archives that may be unpacked into the “products” folder of a buildout installation and as Python packages that may be installed by editing a buildout configuration file and running buildout. Patching is generally easy and quick to accomplish.

Q: My site is highly visible and mission-critical. I hear the patch has already been developed. Can I get the fix before the release date? 
A: Plone patches are always made available to all users at the same time. There are no exceptions.

General questions about this announcement, Plone patching procedures, and availability of support may be addressed to the Plone support forums . If you have specific questions about this vulnerability or its handling, contact the [hidden email]directly.

To report potentially security-related issuese-mail the Plone Security Team directly at [hidden email]. We are always happy to credit individuals and companies who make responsible disclosures.

The Plone Security Team is an all-volunteer team. If you'd like to help the team, as a developer, a tester, or as a financial sponsor, please email the team at [hidden email].

Information for Vulnerability Database Maintainers

We have already applied for CVE numbers for these issues. Further information on individual vulnerabilities (including CVSS scores, CWE identifiers and summaries) is available at the full vulnerability list


Plone-Announce mailing list
[hidden email]