CVE-2016-4043 Plone CVE debrief

Who should care

Plone administrators, application owners, and security teams running Plone 5.0rc1 through 5.1a1, especially sites where users beyond full administrators can create or edit templates.

Technical summary

NVD describes the issue as a CVSS 3.0 AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N problem, which aligns with the core requirement for privileged authenticated access. The vulnerability is a Restricted Python bypass in Chameleon (five.pt) template handling: if a user can create or edit templates, they may escape the intended sandboxing/control boundary. NVD maps the weakness to CWE-264.

Defensive priority

Medium. The issue is network-reachable and can materially affect integrity, but it requires high privileges in the application, which lowers exposure compared with unauthenticated flaws.

Recommended defensive actions

• Identify and inventory any Plone deployments in the affected range: 5.0rc1, 5.0rc2, 5.0rc3, 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, and 5.1a1.
• Apply the vendor hotfix or other Plone security guidance referenced in the advisory.
• Restrict template creation and editing to trusted administrative roles only; remove unnecessary permissions from delegated users.
• Review custom templates and recent template changes for unauthorized or unexpected edits.
• Monitor authentication and content-management logs for privileged template activity, especially on environments that expose template editing to non-admin staff.

Evidence notes

The CVE description states that Chameleon (five.pt) in Plone 5.0rc1 through 5.1a1 allows remote authenticated users to bypass Restricted Python by leveraging permissions to create or edit templates. NVD lists the affected CPEs and the CVSS vector AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N, and it maps the issue to CWE-264. The supplied references include an OSS-Security mailing list post and a Plone vendor hotfix/advisory, both dated 2016-04-19/20, while the CVE/NVD publication timestamp is 2017-02-24.

Official resources