PT-2014-2761 · Plone Foundation · Plone
Published
2014-03-11
·
Updated
2022-05-17
·
CVE-2013-4198
CVSS v4.0
5.3
Medium
| Vector | AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
Plone versions 2.1 through 4.1
Plone versions 4.2.x through 4.2.5
Plone versions 4.3.x through 4.3.1
Description
The issue allows remote authenticated users to bypass the prohibition on password changes via the forgotten password email functionality. This is related to the
mail password.py script.Recommendations
For Plone versions 2.1 through 4.1, update to a version that contains a fix for this issue.
For Plone versions 4.2.x through 4.2.5, update to a version that contains a fix for this issue.
For Plone versions 4.3.x through 4.3.1, update to a version that contains a fix for this issue.
As a temporary workaround, consider restricting access to the forgotten password email functionality until a patch is available.
Fix
Incorrect Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Plone