Alessandro Sauzher

**Name of the Vulnerable Software and Affected Versions** Plone versions 4.2.0 through 4.2.3 Plone versions 4.3.0 through 4.3 beta 1 **Description** The issue allows remote attackers to read arbitrary BLOBs, including Files and Images, stored on custom content types via a crafted URL. This is possible due to a flaw in the `at download.py` script. **Recommendations** For Plone versions 4.2.0 through 4.2.3, update to version 4.2.3 or later. For Plone versions 4.3.0 through 4.3 beta 1, update to version 4.3 beta 1 or later. As a temporary workaround, consider restricting access to the `at download.py` script until a patch is available.