CVE-2006-1711 - Vulnerability Details - OpenCVE

Plone 2.0.5, 2.1.2, and 2.5-beta1 does not restrict access to the (1) changeMemberPortrait, (2) deletePersonalPortrait, and (3) testCurrentPassword methods, which allows remote attackers to modify portraits.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.11107.

Key SSVC decision points have not yet been added.

Vendors	Products
Plone	Plone

Configuration 1 [-]

OR	cpe:2.3:a:plone:plone:2.0.5:::::::*
	cpe:2.3:a:plone:plone:2.1.2:::::::*
	cpe:2.3:a:plone:plone:2.5_beta1:::::::*

No data.

No data.

Advisories

Source	ID	Title
Debian DSA	DSA-1032-1	New zope-cmfplone packages fix unprivileged data manipulation
Github GHSA	GHSA-jcwh-rj6j-vm75	Plone allows remote users to modify arbitrary portraits

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
http://dev.plone.org/plone/ticket/5432
http://secunia.com/advisories/19633
http://secunia.com/advisories/19640
http://www.debian.org/security/2006/dsa-1032
http://www.securityfocus.com/bid/17484
http://www.vupen.com/english/advisories/2006/1340
https://exchange.xforce.ibmcloud.com/vulnerabilities/25781
https://svn.plone.org/svn/plone/PloneHotfix20060410/trunk/README.txt

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2006-04-11T18:00:00

Updated: 2024-08-07T17:19:49.405Z

Reserved: 2006-04-11T00:00:00

Link: CVE-2006-1711

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2006-04-11T18:06:00.000

Modified: 2025-04-03T01:03:51.193

Link: CVE-2006-1711

Redhat

No data.

OpenCVE Enrichment

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2006-04-10T00:00:00", "descriptions": [{"lang": "en", "value": "Plone 2.0.5, 2.1.2, and 2.5-beta1 does not restrict access to the (1) changeMemberPortrait, (2) deletePersonalPortrait, and (3) testCurrentPassword methods, which allows remote attackers to modify portraits."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-07-19T15:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "http://dev.plone.org/plone/ticket/5432"}, {"name": "19633", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/19633"}, {"name": "17484", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/17484"}, {"name": "DSA-1032", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "http://www.debian.org/security/2006/dsa-1032"}, {"name": "19640", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/19640"}, {"name": "ADV-2006-1340", "tags": ["vdb-entry", "x_refsource_VUPEN"], "url": "http://www.vupen.com/english/advisories/2006/1340"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://svn.plone.org/svn/plone/PloneHotfix20060410/trunk/README.txt"}, {"name": "plone-memberid-data-manipulation(25781)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/25781"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2006-1711", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Plone 2.0.5, 2.1.2, and 2.5-beta1 does not restrict access to the (1) changeMemberPortrait, (2) deletePersonalPortrait, and (3) testCurrentPassword methods, which allows remote attackers to modify portraits."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "http://dev.plone.org/plone/ticket/5432", "refsource": "MISC", "url": "http://dev.plone.org/plone/ticket/5432"}, {"name": "19633", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/19633"}, {"name": "17484", "refsource": "BID", "url": "http://www.securityfocus.com/bid/17484"}, {"name": "DSA-1032", "refsource": "DEBIAN", "url": "http://www.debian.org/security/2006/dsa-1032"}, {"name": "19640", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/19640"}, {"name": "ADV-2006-1340", "refsource": "VUPEN", "url": "http://www.vupen.com/english/advisories/2006/1340"}, {"name": "https://svn.plone.org/svn/plone/PloneHotfix20060410/trunk/README.txt", "refsource": "CONFIRM", "url": "https://svn.plone.org/svn/plone/PloneHotfix20060410/trunk/README.txt"}, {"name": "plone-memberid-data-manipulation(25781)", "refsource": "XF", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/25781"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-07T17:19:49.405Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://dev.plone.org/plone/ticket/5432"}, {"name": "19633", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/19633"}, {"name": "17484", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/17484"}, {"name": "DSA-1032", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "http://www.debian.org/security/2006/dsa-1032"}, {"name": "19640", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/19640"}, {"name": "ADV-2006-1340", "tags": ["vdb-entry", "x_refsource_VUPEN", "x_transferred"], "url": "http://www.vupen.com/english/advisories/2006/1340"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://svn.plone.org/svn/plone/PloneHotfix20060410/trunk/README.txt"}, {"name": "plone-memberid-data-manipulation(25781)", "tags": ["vdb-entry", "x_refsource_XF", "x_transferred"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/25781"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2006-1711", "datePublished": "2006-04-11T18:00:00", "dateReserved": "2006-04-11T00:00:00", "dateUpdated": "2024-08-07T17:19:49.405Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:plone:plone:2.0.5:*:*:*:*:*:*:*", "matchCriteriaId": "67D4EB7F-BC46-4F2E-B065-303961C47B1E", "vulnerable": true}, {"criteria": "cpe:2.3:a:plone:plone:2.1.2:*:*:*:*:*:*:*", "matchCriteriaId": "78755057-2613-4D5E-8F59-2C117EE282B6", "vulnerable": true}, {"criteria": "cpe:2.3:a:plone:plone:2.5_beta1:*:*:*:*:*:*:*", "matchCriteriaId": "C577B46C-7692-4B6F-B487-A28F73D403F1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Plone 2.0.5, 2.1.2, and 2.5-beta1 does not restrict access to the (1) changeMemberPortrait, (2) deletePersonalPortrait, and (3) testCurrentPassword methods, which allows remote attackers to modify portraits."}], "id": "CVE-2006-1711", "lastModified": "2025-04-03T01:03:51.193", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2006-04-11T18:06:00.000", "references": [{"source": "cve@mitre.org", "url": "http://dev.plone.org/plone/ticket/5432"}, {"source": "cve@mitre.org", "url": "http://secunia.com/advisories/19633"}, {"source": "cve@mitre.org", "url": "http://secunia.com/advisories/19640"}, {"source": "cve@mitre.org", "url": "http://www.debian.org/security/2006/dsa-1032"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/bid/17484"}, {"source": "cve@mitre.org", "url": "http://www.vupen.com/english/advisories/2006/1340"}, {"source": "cve@mitre.org", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/25781"}, {"source": "cve@mitre.org", "url": "https://svn.plone.org/svn/plone/PloneHotfix20060410/trunk/README.txt"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://dev.plone.org/plone/ticket/5432"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://secunia.com/advisories/19633"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://secunia.com/advisories/19640"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.debian.org/security/2006/dsa-1032"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/bid/17484"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.vupen.com/english/advisories/2006/1340"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/25781"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://svn.plone.org/svn/plone/PloneHotfix20060410/trunk/README.txt"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}