CVE-2017-1000483

Accessing private content via str.format in through-the-web templates and scripts in Plone 2.5-5.1rc1. This improves an earlier hotfix. Since the format method was introduced in Python 2.6, this part of the hotfix is only relevant for Plone 4 and 5.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
6.5 MEDIUM
NETWORK
LOW
LOW
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 53%
VendorProductVersion
ploneplone
2.5.5
ploneplone
3.3
ploneplone
3.3.1
ploneplone
3.3.2
ploneplone
3.3.3
ploneplone
3.3.4
ploneplone
3.3.5
ploneplone
3.3.6
ploneplone
4.0
ploneplone
4.0.1
ploneplone
4.0.2
ploneplone
4.0.3
ploneplone
4.0.4
ploneplone
4.0.5
ploneplone
4.0.7
ploneplone
4.0.8
ploneplone
4.0.9
ploneplone
4.0.10
ploneplone
4.1
ploneplone
4.1.1
ploneplone
4.1.2
ploneplone
4.1.3
ploneplone
4.1.4
ploneplone
4.1.5
ploneplone
4.1.6
ploneplone
4.2
ploneplone
4.2.1
ploneplone
4.2.2
ploneplone
4.2.3
ploneplone
4.2.4
ploneplone
4.2.5
ploneplone
4.2.6
ploneplone
4.2.7
ploneplone
4.3
ploneplone
4.3.1
ploneplone
4.3.2
ploneplone
4.3.3
ploneplone
4.3.4
ploneplone
4.3.5
ploneplone
4.3.6
ploneplone
4.3.7
ploneplone
4.3.8
ploneplone
4.3.9
ploneplone
4.3.10
ploneplone
4.3.11
ploneplone
4.3.12
ploneplone
4.3.14
ploneplone
4.3.15
ploneplone
5.0
ploneplone
5.0:rc1
ploneplone
5.0:rc2
ploneplone
5.0:rc3
ploneplone
5.0.1
ploneplone
5.0.2
ploneplone
5.0.3
ploneplone
5.0.4
ploneplone
5.0.5
ploneplone
5.0.6
ploneplone
5.0.7
ploneplone
5.0.8
ploneplone
5.0.9
ploneplone
5.1
ploneplone
5.1:a1
ploneplone
5.1:a2
ploneplone
5.1:b2
ploneplone
5.1:b3
ploneplone
5.1:b4
ploneplone
5.1:rc1
𝑥
= Vulnerable software versions
References
https://plone.org/security/hotfix/20171128/sandbox-escape
https://plone.org/security/hotfix/20171128/sandbox-escape