GitHub Advisory DatabaseGHSA-984M-RJ28-8C6XPlone unauthorized member addition vulnerability
4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
0.003 Low
EPSS
Percentile
69.8%
Plone 3.3.0 through 3.3.6, 4.0.0 through 4.0.10, 4.1.0 through 4.1.6, 4.2.0 through 4.2.7, 4.3.0 through 4.3.6, and 5.0rc1 allows remote attackers to add a new member to a Plone site with registration enabled, without acknowledgment of site administrator.
Affected configurations
| CPE | Name | Operator | Version |
|---|---|---|---|
| products.cmfplone | lt | 5.0rc2 | |
| products.cmfplone | ge | 3.3.0 | |
| products.cmfplone | lt | 4.3.6 |
References
www.openwall.com/lists/oss-security/2015/09/22/13
bugzilla.redhat.com/show_bug.cgi?id=1264791
github.com/advisories/GHSA-984m-rj28-8c6x
github.com/plone/Products.CMFPlone/commit/1845b0a92312291811b68907bf2aa0fb448c4016
github.com/plone/Products.CMFPlone/commit/9f0111f85cd14f3f067044b59b93e2856c99d542
nvd.nist.gov/vuln/detail/CVE-2015-7315
plone.org/security/hotfix/20150910/anonymous-is-able-to-create-plone-members
pypi.org/project/Products.PloneHotfix20150910/
Related
4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
0.003 Low
EPSS
Percentile
69.8%