CVE-2006-1711 — zope-cmfplone - programming error

Description

Plone 2.0.5, 2.1.2, and 2.5-beta1 does not restrict access to the (1) changeMemberPortrait, (2) deletePersonalPortrait, and (3) testCurrentPassword methods, which allows remote attackers to modify portraits.

How to fix CVE-2006-1711

To remediate CVE-2006-1711, upgrade the affected package to a fixed version below.

Debian/zope-cmfplone—upgrade to 2.0.4-3sarge1 or later
PyPI/plone—upgrade to 2.0.6 or later

Is CVE-2006-1711 being exploited?

Moderate — EPSS is 11.7%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (2)

from 0, < 2.0.4-3sarge1
from 0, < 2.0.6

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2006-1711
PATCHgithub.com/plone/Plone
WEBexchange.xforce.ibmcloud.com/vulnerabilities/25781
WEBweb.archive.org/web/20060412111111/https://dev.plone.org/plone/ticket/5432