FreeBSD : plone -- multiple vulnerabilities (6b3374d4-6b0b-11e5-9909-002590263bf5)

This script is Copyright (C) 2015 Tenable Network Security, Inc.


Synopsis :

The remote FreeBSD host is missing a security-related update.

Description :

Plone.org reports :

Versions Affected: All current Plone versions.

Versions Not Affected: None.

Nature of vulnerability: Allows creation of members by anonymous users
on sites that have self-registration enabled, allowing bypass of
CAPTCHA and similar protections against scripted attacks.

The patch can be added to buildouts as Products.PloneHotfix20150910
(available from PyPI) or downloaded from Plone.org.

Immediate Measures You Should Take: Disable self-registration until
you have applied the patch.

Plone's URL checking infrastructure includes a method for checking if
URLs valid and located in the Plone site. By passing HTML into this
specially crafted url, XSS can be achieved.

See also :

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=203255
https://plone.org/products/plone-hotfix/releases/20150910
http://www.nessus.org/u?12e0d9d3
https://plone.org/security/20150910/non-persistent-xss-in-plone
http://www.nessus.org/u?c2186c80
http://www.nessus.org/u?8d3f681c

Solution :

Update the affected package.

Risk factor :

High

Family: FreeBSD Local Security Checks

Nessus Plugin ID: 86266 ()

Bugtraq ID:

CVE ID:

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now