9.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2006-4247

GHSA ID

GHSA-5hch-v5pq-x4qp

EPSS Score

0.55558%

CWE

Published

5/1/2022

Updated

11/26/2024

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2006-4247

CVE-2006-4247: Plone allows anonymous users to reset any users password through the web via Password Reset Tool

Unspecified vulnerability in the Password Reset Tool before 0.4.1 on Plone 2.5 and 2.5.1 Release Candidate allows attackers to reset the passwords of other users, related to "an erroneous security declaration."

(GitHub Advisory)

9.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2006-4247

GHSA ID

GHSA-5hch-v5pq-x4qp

EPSS Score

0.55558%

CWE

Published

5/1/2022

Updated

11/26/2024

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
Plone	pip	>= 2.5, < 2.5.1	2.5.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from an erroneous security declaration in the Password Reset Tool. Since the core issue allows anonymous password resets, the most likely candidate is the password reset initiation function requestReset(). In Plone's architecture, security is typically enforced via Zope security declarations (@security.private, permissions). The absence of proper access controls on this critical function would directly enable unauthorized password resets. While exact code isn't available, the pattern matches Plone's security model and the described attack vector.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Unsp**i*i** vuln*r**ility in t** P*sswor* R*s*t Tool ***or* *.*.* on Plon* *.* *n* *.*.* R*l**s* **n*i**t* *llows *tt**k*rs to r*s*t t** p*sswor*s o* ot**r us*rs, r*l*t** to "*n *rron*ous s**urity ***l*r*tion."

Reasoning

T** vuln*r**ility st*ms *rom *n *rron*ous s**urity ***l*r*tion in t** P*sswor* R*s*t Tool. Sin** t** *or* issu* *llows *nonymous p*sswor* r*s*ts, t** most lik*ly **n*i**t* is t** p*sswor* r*s*t initi*tion *un*tion `r*qu*stR*s*t()`. In Plon*'s *r**it*

9.1

Basic Information

Concerned about an active attack path?

CVE-2006-4247: Plone allows anonymous users to reset any users password through the web via Password Reset Tool

9.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI