These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
CVE-2016-4043 affects Plone 5.0rc1 through 5.1a1 and lets a remote authenticated user bypass Restricted Python by creating or editing templates with the right permissions. The practical risk is integrity-focused rather than availability-focused, and exploitation requires elevated application permissions, but environments that delegate template management to non-admin users should treat it as a real contro [truncated]
CVE-2016-4041 is a Plone access-control flaw affecting Dexterity content-related WebDAV requests. The issue was publicly discussed in April 2016 and later published as a CVE in February 2017. NVD rates it HIGH (CVSS 7.3) with network access, no authentication, and impacts to confidentiality, integrity, and availability. Plone operators should treat this as a priority hardening item: apply the vendor hotfi [truncated]
CVE-2016-7147 is a cross-site scripting flaw in Plone's Zope ZMI search path, specifically the manage_findResult component. The record says remote attackers could inject arbitrary web script or HTML through vectors involving double quotes, with obj_ids:tokens called out as a demonstration input. NVD also ties the issue to an incomplete fix for CVE-2016-7140. The affected versions listed in the source corp [truncated]