The Plone Foundation has confirmed that its Plone open source content management system (CMS) contains a privilege escalation vulnerability. According to the Plone Security team, the security issue could allow "anonymous users to gain access to a Plone site's administration controls, view unpublished content, create new content and modify a site's skin".

All versions since 2.5 (e.g. 2.5, 3.0, 3.1, 3.2, 3.3, 4.0; including all minor and development revisions) are reportedly at risk – Plone 1.0, 2.0 and 2.1 are not affected. A hotfix patch that corrects the issue is available to download from the Plone Foundation web site. All users are advised to install the patch.

Further information about the vulnerability can be found in the below security advisory. Plone is made available under the GPL.

See also:

(crve)