Multiple vulnerabilities have been reported in Plone, which can be exploited by malicious users to bypass certain security restrictions, disclose potentially sensitive information, and conduct script insertion attacks and by malicious people to conduct cross-site scripting and cross-site request forgery attacks, disclose potentially sensitive information, cause a DoS (Denial of Service), conduct brute force attacks, and compromise a vulnerable system.

1) An error within the control panel can be exploited to inject arbitrary Python statements.

2) The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to e.g. set a fake status message if a logged-in user visits a malicious web site.

3) An error when importing functions from certain locations can be exploited to call otherwise restricted functions.

Successful exploitation of this vulnerability requires "author RestrictedPython" privileges, but not "author full Python".

4) An error when handling certain URLs can be exploited to inject restricted (sandboxed) Python code.

5) An error within permissions checking of certain objects can be exploited to partially escape the Python sandbox allowing access to certain full Python functions.

Successful exploitation of this vulnerability requires "author RestrictedPython" privileges.

6) Certain input is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

7) An error related to handling of attributes of unpublished content items can be exploited to disclose certain metadata about hidden objects.

8) An error when handling certain input within utility functions can be exploited to access trusted builtins and completely escape the sandbox.

Successful exploitation of this vulnerability requires "author RestrictedPython" privileges.

9) Certain input related to utility functions is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

10) An error within Kupu can be exploited to cause the ZServer thread to lock and deny further requests.

11) An error when handling a certain method of the membership database can be exploited to enumerate user accounts.

12) Some errors within the Collections functionality and utility functions can be exploited to create large amount of IO and cache usage causing excessive memory consumption.

13) An error when accessing BLOBs within custom content types can be exploited to access restricted files and images.

14) Certain input is not properly sanitised within filtering before being used. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when the malicious data is being viewed.

15) An error within FTP functionality can be exploited to list restricted directory contents.

16) Certain input when stored in memory against a key is not properly sanitised before being used. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when the malicious data is being viewed.

17) An error when handling an anonymous view lookup on certain content types can be exploited to disclose a private data structure.

18) An error when handling certain URLs within the RSS feed functionality can be exploited to cause an infinite loop within a server thread.

19) An error within the authentication system can be exploited to validate password by checking hash prefixes.

20) An error within certain error pages results in random numbers from the PRNG to be disclosed, which may allow password reset attacks.

The vulnerabilities are reported in all supported versions.

Solution
Apply patches.

Provided and/or discovered by
1, 3 - 5) Reported by the vendor.
2) WhiteHat security
6, 7, 10, 12) Richard Mitchell, Plone Security Team
8, 16) Alan Hoey, Plone Security Team
9) John Carr, Isotoma
11) Daniel Kraft, d9t.de
13) Alessandro SauZheR, Karl Johan Kleist
14) Mauro Gentile
15) mksht80
17) Roel Bruggink, fourdigits
18) David Beitey, James Cook University
19) Bastian Blank
20) Christian Heimes

Changelog
Further details available to Secunia VIM customers

Original Advisory
http://plone.org/products/plone/security/advisories/20120830
http://plone.org/products/plone/security/advisories/20121106/

Deep Links
Links available to Secunia VIM customers