-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| plone | pip | >= 2.1, <= 4.1 | 4.1.1 |
| plone | pip | >= 4.2, < 4.2.6 | 4.2.6 |
| plone | pip | >= 4.3, < 4.3.2 | 4.3.2 |
Miggo AIRoot Cause AnalysisThe vulnerability explicitly references zip.py as the source of improper access control enforcement. While the exact function name isn't specified in available documentation, Plone's zip generation logic in affected versions resides in Products/CMFPlone/utils.py (commonly imported as 'zip'). The core failure occurs in the archive generation workflow where content inclusion lacked proper permission validation. Multiple independent sources (CVE description, Red Hat bugzilla, Plone security advisory) all confirm the vulnerability stems from zip archive generation logic without adequate access checks, strongly indicating the primary zip generation function is responsible.
Ongoing coverage of React2Shell