GHSA-jcwh-rj6j-vm75, CVE-2006-1711
pypi/Plone
Plone allows remote users to modify arbitrary portraits
Plone 2.0.5, 2.1.2, and 2.5-beta1 does not restrict access to the (1) changeMemberPortrait, (2) deletePersonalPortrait, and (3) testCurrentPassword methods, which allows remote attackers to modify portraits.
All versions up to 2.0.5, all versions starting from 2.1.0 up to 2.1.2, version 2.5-beta1
Upgrade to version 2.0.6 or above.
2024-02-13
source |