CVE-2011-4030: Plone anonymous access to sub-objects in CMFEditions where KwAsAttributes classes were publishable

May 17, 2022 (updated November 22, 2024)

The CMFEditions component 2.x in Plone 4.0.x through 4.0.9, 4.1, and 4.2 through 4.2a2 does not prevent the KwAsAttributes classes from being publishable, which allows remote attackers to access sub-objects via unspecified vectors, a different vulnerability than CVE-2011-3587.

References

github.com/advisories/GHSA-pwgm-jvqv-6v8p
github.com/plone/Plone
github.com/pypa/advisory-database/tree/main/vulns/products-plonehotfix20110928/PYSEC-2011-27.yaml
nvd.nist.gov/vuln/detail/CVE-2011-4030

Code Behaviors & Features

Detect and mitigate CVE-2011-4030 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →