In association with heise online

13 June 2008, 09:16

CSRF hole eliminated from Plone CMS

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

The developers of Plone, an open source content management system, have released version 3.1.1, in which a Cross-Site Request Forgery vulnerability (CSRF) has been eliminated. The vulnerability enabled an attacker to change a user's settings – possibly his email address – using HTTP requests hidden in web sites.

The problem was solved using a specially developed anti-CSRF framework that is also available as a hotfix for version 3.0. Version 3.1.1 is the first in the 3.1 series and contains many further innovations and improvements. Version 3.1.2 is already already available for download. Version 3.1 itself never appeared because of various bugs.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit