Plone CMS vulnerable to privilege escalation and code execution
The Plone Foundation has warned users that there are multiple vulnerabilities in its open source Plone content management system (CMS) as well as the Zope toolkit. According to the security advisory, these security holes could be exploited by an attacker for privilege escalation, allowing them to bypass certain security restrictions, or to execute malicious arbitrary code on a system.
While specific details about the vulnerabilities, which are rated as "highly critical" by security specialist Secunia, are being withheld for the time being, the developers strongly recommend that administrators take certain steps in order to protect their sites. These include making sure that installations are running with the minimum required privileges, using an intrusion detection system to monitor resources for unauthorised changes, and monitoring system logs for unusual activity.
The Foundation says that a majority of these problems were found as part of audits by the project's security team, but some were also reported by users. All supported versions of the software are said to be affected. Patches to close the holes will be released on Tuesday 6 November at 15:00 UTC; the project's developers advise administrators to "plan a maintenance window for the 60 minutes following the announcement in which to install the fix".