CVE-2012-5501

Name of the Vulnerable Software and Affected Versions Plone versions 4.2.0 through 4.2.3 Plone versions 4.3.0 through 4.3 beta 1

Description The issue allows remote attackers to read arbitrary BLOBs, including Files and Images, stored on custom content types via a crafted URL. This is possible due to a flaw in the at download.py script.

Recommendations For Plone versions 4.2.0 through 4.2.3, update to version 4.2.3 or later. For Plone versions 4.3.0 through 4.3 beta 1, update to version 4.3 beta 1 or later. As a temporary workaround, consider restricting access to the at download.py script until a patch is available.