CVE-2016-7135

Name of the Vulnerable Software and Affected Versions Plone CMS versions 4.2.x through 4.3.11 Plone CMS versions 5.x through 5.0.6

Description The issue allows remote administrators to read arbitrary files via a .. (dot dot) in the path parameter in a getFile action to the Plone/++theme++barceloneta/@@plone.resourceeditor.filemanager-actions endpoint.

Recommendations For Plone CMS versions 4.2.x through 4.3.11, update to a version outside of this range to resolve the issue. For Plone CMS versions 5.x through 5.0.6, update to a version outside of this range to resolve the issue. As a temporary workaround, consider restricting access to the Plone/++theme++barceloneta/@@plone.resourceeditor.filemanager-actions endpoint to minimize the risk of exploitation. Avoid using the path parameter in the affected getFile action until the issue is resolved.