CVE-2016-4043

MEDIUM

Plone <5.1a1 - Auth Bypass

Title source: llm

Description

Chameleon (five.pt) in Plone 5.0rc1 through 5.1a1 allows remote authenticated users to bypass Restricted Python by leveraging permissions to create or edit templates.

References (2)

[Mailing List, Third Party Advisory] http://www.openwall.com/lists/oss-security/2016/04/20/3

[Vendor Advisory] https://plone.org/security/hotfix/20160419/bypass-restricted-python

Scores

CVSS v3 4.9

EPSS 0.0014

EPSS Percentile 33.6%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N

Classification

CWE

CWE-264

Status published

Affected Products (11)

plone/plone

pypi/Plone PyPI

n/a/n/a

Timeline

Published Feb 24, 2017

Tracked Since Feb 18, 2026