CSRF hole eliminated from Plone CMS
The developers of Plone, an open source content management system, have released version 3.1.1, in which a Cross-Site Request Forgery vulnerability (CSRF) has been eliminated. The vulnerability enabled an attacker to change a user's settings – possibly his email address – using HTTP requests hidden in web sites.
The problem was solved using a specially developed anti-CSRF framework that is also available as a hotfix for version 3.0. Version 3.1.1 is the first in the 3.1 series and contains many further innovations and improvements. Version 3.1.2 is already already available for download. Version 3.1 itself never appeared because of various bugs.
See also:
- Plone Hotfix CVE-2008-0164, vulnerability report from Plone
- Plone 3.1.1 released, announcement from Plone
(mba)