-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe Full Disclosure post explicitly identifies PAS methods getUsers and userSetPassword as attack vectors. These methods were improperly exposed in the ZODBUserManager class, allowing URL-based invocation without proper authentication. The security patch restricted access to these methods, and the logchecker.py from the hotfix specifically monitors their usage. The combination of user enumeration (getUsers) and password reset (userSetPassword) directly enables administrative privilege escalation as described in CVE-2011-0720.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| Plone | pip | >= 2.5, < 4.0.4 | 4.0.4 |
PythonPythonKEV Misses 88% of Exploited CVEs- Get the report