Vulnerability in PloneFormGen — Updated announcement
[The previous version of this announcement suggested an upgrade to PloneFormGen version 1.7.9. The distribution file for that version had an error that prevented installation. Version 1.7.11 replaces it. Information has also been added on how to get help with the update.]
a widely used response-form-creation add-on for the Plone Content
Management System, has been discovered to have a serious vulnerability
that allows an anonymous attacker to execute arbitrary code with the
privileges of the system user running the server.
Installations of Plone that do not use the PloneFormGen add-on are not affected by this vulnerability.
The vulnerability is present in
PloneFormGen versions 1.7.4 (2012-11-04) through 1.7.8. Users of any of
these versions should immediately upgrade to Products.PloneFormGen version 1.7.11. 1.7.11 has been released today to the Plone and Python package repositories.
Another serious vulnerability affects
most earlier versions of PloneFormGen. This vulnerability affects forms
that have custom script adapters, and allows an anonymous attacker to
gain control over the handling of data submitted through the form. This
vulnerability is addressed in version 1.7.9. Users of PloneFormGen in
the 1.6 series, which runs on Plone 3.x, 4.0 and 4.1 should upgrade to version 1.6.7, also released today.