It was found that by using relative paths and guessing locations on a server Plone is installed on, an attacker can read data from a target server that the process running plone has permission to read. The attacker needs administrator privileges on the Plone site to perform this attack. CVE assignment: http://seclists.org/oss-sec/2016/q3/417 External References: https://plone.org/security/hotfix/20160830/filesystem-information-leak
Created plone tracking bugs for this issue: Affects: epel-5 [bug 1373467]