-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability stems from an unwrapped search API in CatalogTool.py. The GitHub commit a6a3e50 adds a new 'search' method with security checks (allowedRolesAndUsers, effectiveRange), indicating the original implementation lacked these protections. The test case in testCatalogTool.py validates that search results respect permissions, confirming the pre-patch method was insecure. The CWE-284 classification and advisory descriptions about bypassing restrictions through the search API further corroborate this analysis.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| Plone | pip | >= 3.3b1, < 4.3.3 | 4.3.3 |
| Products.CMFPlone | pip | >= 3.3, < 4.3.3 | 4.3.3 |