Patches to Plone for unauthorized disclosure of registered user information
Versions Affected: All current Plone versions. Versions Not Affected: None.
Nature of vulnerability: Allows unauthorized disclosure of registered user information
The patch can be added to buildouts as Products.PloneHotfix20151208 (available from pypi.python.org) or downloaded from Plone.org
This patch is compatible with all supported Plone versions (i.e. Plone 4, Plone 5). It may work on earlier versions of Plone, but as these are officially unsupported they have not undergone the same level of testing with the patch.
The Plone Security Team is grateful to Giovanni Monteiro Calanzani and Glauter de Sousa Vilela, who reported the vulnerability.
Questions and Answers
Q. What is involved in applying the patch? A. Patches are made available as tarball-style archives that may be unpacked into the “products” folder of a buildout installation and as Python packages that may be installed by editing a buildout configuration file and running buildout. Patching is generally easy and quick to accomplish.
Q: My site is highly visible and mission-critical. I hear the patch has already been developed. Can I get the fix before the release date? A: Plone patches are always made available to all users at the same time. There are no exceptions.
General questions about this announcement, Plone patching procedures, and availability of support may be addressed to the Plone support forums . If you have specific questions about this vulnerability or its handling, contact the [hidden email]directly.
To report potentially security-related issues, e-mail the Plone Security Team directly at [hidden email]. We are always happy to credit individuals and companies who make responsible disclosures.
The Plone Security Team is an all-volunteer team. If you'd like to help the team, as a developer, a tester, or as a financial sponsor, please email the team at [hidden email].
Information for Vulnerability Database Maintainers
We have already applied for CVE numbers for these issues. Further information on individual vulnerabilities (including CVSS scores, CWE identifiers and summaries) is available at the full vulnerability list