Fwd: [Plone-Announce] Vulnerability in PloneFormGen requires immediate update
-----BEGIN PGP SIGNED MESSAGE-----
- -------- Original-Nachricht --------
To: [hidden email] From: Announcement of Plone releases and security-related
Subject: [Plone-Announce] Vulnerability in PloneFormGen requires
PloneFormGen, a widely used response-form-creation add-on for the Plone
Content Management System, has been discovered to have a serious
vulnerability that allows an anonymous attacker to execute arbitrary
code with the privileges of the system user running the server.
Installations of Plone that do not use the PloneFormGen add-on are not
affected by this vulnerability.
The vulnerability is present in PloneFormGen versions 1.7.4 (2012-11-04)
through 1.7.8. Users of any of these versions should immediately upgrade
to Products.PloneFormGen version 1.7.9. 1.7.9 has been released today to
the Plone and Python package repositories.
Another serious vulnerability affects most earlier versions of
PloneFormGen. This vulnerability affects forms that have custom script
adapters, and allows an anonymous attacker to gain control over the
handling of data submitted through the form. This vulnerability is
addressed in version 1.7.9. Users of PloneFormGen in the 1.6 series,
which runs on Plone 3.x, 4.0 and 4.1 should upgrade to version 1.6.7,
also released today.
Thanks to The Code Distillery's security analysts for the responsible
disclosure of the vulnerabilities, and for their suggestions for
addressing the issues.