[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[CVE-REQUEST] Plone XSS and permission errors
- To: bugtraq@xxxxxxxxxxxxxxxxx
- Subject: [CVE-REQUEST] Plone XSS and permission errors
- From: matthew@xxxxxxxxxxxxxxxxxx
- Date: Thu, 26 May 2011 08:06:06 -0600
Hello all,
As a member of the Plone security response team I hereby notify you that we
have been made aware of three distinct security holes in Plone and are
requesting CVE identifiers.
1. Reflected XSS attack
A crafted URL can display arbitrary HTML output
2. Persistent XSS attack
Certain valid HTML will allow Javascript filtering to be bypassed.
3. Unauthorised data changes
One change form for data allows preferences to be changed. No deletion of
content of loss of confidentiality is possible.
Thanks very much,
Matthew