Vulnerability in PloneFormGen requires immediate update

classic Classic list List threaded Threaded
1 message Options
Announce mailing list Announce mailing list
Reply | Threaded
Open this post in threaded view

Vulnerability in PloneFormGen requires immediate update

PloneFormGen, a widely used response-form-creation add-on for the Plone Content Management System, has been discovered to have a serious vulnerability that allows an anonymous attacker to execute arbitrary code with the privileges of the system user running the server.

Installations of Plone that do not use the PloneFormGen add-on are not affected by this vulnerability.

The vulnerability is present in PloneFormGen versions 1.7.4 (2012-11-04) through 1.7.8. Users of any of these versions should immediately upgrade to Products.PloneFormGen version 1.7.9. 1.7.9 has been released today to the Plone and Python package repositories.

Another serious vulnerability affects most earlier versions of PloneFormGen. This vulnerability affects forms that have custom script adapters, and allows an anonymous attacker to gain control over the handling of data submitted through the form. This vulnerability is addressed in version 1.7.9. Users of PloneFormGen in the 1.6 series, which runs on Plone 3.x, 4.0 and 4.1 should upgrade to version 1.6.7, also released today.

Thanks to The Code Distillery's security analysts for the responsible disclosure of the vulnerabilities, and for their suggestions for addressing the issues.

Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
Get 100% visibility into your production application - at no cost.
Code-level diagnostics for performance bottlenecks with <2% overhead
Download for free and get started troubleshooting in minutes.
Plone-Announce mailing list
[hidden email]