A vulnerability was found allowing users who have access to write cookie values were able to inject headers into the response. Versions affected are all versions Plone 3. Upstream hotfix: https://plone.org/security/20150910/ CVE request: http://seclists.org/oss-sec/2015/q3/589