Common Vulnerabilities and Exposures assigned an identifier CVE-2011-4030 to the following vulnerability: The CMFEditions component 2.x in Plone 4.0.x through 4.0.9, 4.1, and 4.2 through 4.2a2 does not prevent the KwAsAttributes classes from being publishable, which allows remote attackers to access sub-objects via unspecified vectors, a different vulnerability than CVE-2011-3587. References: [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4030 [2] http://plone.org/products/plone-hotfix/releases/20110928 [3] http://plone.org/products/plone-hotfix/releases/20110928/PloneHotfix20110928-1.0.zip [4] http://pypi.python.org/pypi/Products.PloneHotfix20110928/1.0
This issue did NOT affect the versions of the conga package, as shipped with Red Hat Cluster Suite for Red Hat Enterprise Linux 4 and as shipped with Red Hat Enterprise Linux 5. -- This issue did NOT affect the version of the plone package, as present within EPEL-5 repository.
From particular Pypi record: http://pypi.python.org/pypi/Products.PloneHotfix20110928/1.0 This hotfix fixes the following vulnerabilities: * A vulnerability in CMFEditions where KwAsAttributes classes were publishable, exposing sub-objects to anonymous access. This vulnerability is found in CMFEditions 2.0a1 and up. CMFEditions 1.x and before are not vulnerable. -- The version of CMFEditions in plone package from EPEL-5 repository is (Plone-3.1.6]# Products/CMFEditions/CHANGES.txt): CMFEditions 1.1.7 (June 2, 2008)
Upstream CMFEditions patch: [5] https://github.com/plone/Products.CMFEditions/commit/d55add52e5900967c8cc78becc6790048f02015b (also part of Plone PloneHotfix20110928/1.0)
Statement: Not vulnerable. This issue did not affect the versions of conga as shipped with Red Hat Cluster Suite for Red Hat Enterprise Linux 4 and as shipped with Red Hat Enterprise Linux 5 as they did not include support for CMFEditions.