7.3

CVSS Score

3.0

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2016-4041

CVE-2016-4041: Plone vulnerable to privilege escalation in WebDAV

Plone 4.0 through 5.1a1 does not have security declarations for Dexterity content-related WebDAV requests, which allows remote attackers to gain webdav access via unspecified vectors.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2016-4041

CVE-2016-4041:

7.3

CVSS Score

3.0

-

CVSS Score

Basic Information

Is this CVE running in your environment?

Easily map the attack path and prioritize which CVEs are a threat to your organization

Validate Exposure

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
Plone	pip	>= 3.3, < 4.3.10	4.3.10
Plone	pip	>= 5.0, < 5.0.5	5.0.5
Plone	pip	= 5.1a1	5.1a2

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from missing security declarations in Dexterity's WebDAV handling. WebDAVView is the primary handler for WebDAV operations in Dexterity, and security declarations (like @security.private or explicit permission checks) would normally be required here. The FTI (Factory Type Information) components handle content creation/modification via WebDAV PUT requests. Without Zope security declarations (either via decorators or ZCML), these entry points would bypass Plone's permission system. While exact pre-patch code isn't available, Dexterity's WebDAV integration architecture and Plone's security patterns strongly suggest these components as vulnerable entry points.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

Vulnerability Intelligence
Miggo AI

Unlock WAF rules for this CVE

Generate vendor-ready rules for the observed attack patterns, plus reasoning and safe deployment guidance

Get WAF rules

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.