CVE-2006-1711

Plone allows remote users to modify arbitrary portraits in pypi/Plone

Identifiers

GHSA-jcwh-rj6j-vm75, CVE-2006-1711

Package Slug

pypi/Plone

Vulnerability

Plone allows remote users to modify arbitrary portraits

Description

Plone 2.0.5, 2.1.2, and 2.5-beta1 does not restrict access to the (1) changeMemberPortrait, (2) deletePersonalPortrait, and (3) testCurrentPassword methods, which allows remote attackers to modify portraits.

Affected Versions

All versions up to 2.0.5, all versions starting from 2.1.0 up to 2.1.2, version 2.5-beta1

Solution

Upgrade to version 2.0.6 or above.

Last Modified

2024-02-13

source