CVE-2006-1711
MEDIUM severity · CVSS 5
5CVSS MEDIUM
Summary
Plone 2.0.5, 2.1.2, and 2.5-beta1 does not restrict access to the (1) changeMemberPortrait, (2) deletePersonalPortrait, and (3) testCurrentPassword methods, which allows remote attackers to modify portraits.
Impact & exploitability
Attack vectorNetwork
Attack complexityLow
Privileges required—
User interaction—
Confidentiality impactNone
Integrity impact—
Availability impactNone
Exploit probability (EPSS)4%
AV:N/AC:L/Au:N/C:N/I:P/A:N
Affected products we track (1)
Recommendation
Apply the vendor fix in your normal patch cycle. Open any affected product above for its exact safe version.
Additional information
- NVD record
- http://dev.plone.org/plone/ticket/5432
- http://secunia.com/advisories/19633
- http://secunia.com/advisories/19640
- http://www.debian.org/security/2006/dsa-1032
- http://www.securityfocus.com/bid/17484
- http://www.vupen.com/english/advisories/2006/1340
- https://exchange.xforce.ibmcloud.com/vulnerabilities/25781
- https://svn.plone.org/svn/plone/PloneHotfix20060410/trunk/README.txt