CVE-2013-7061
Description
Plone 3.3–4.3.2 allows remote administrators to bypass content restrictions via an unwrapped search API, leaking sensitive information.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Plone 3.3–4.3.2 allows remote administrators to bypass content restrictions via an unwrapped search API, leaking sensitive information.
Vulnerability
In Plone versions 3.3 through 4.3.2, the CatalogTool class in Products/CMFPlone/CatalogTool.py exposes a search() method that, unlike the protected searchResults() method, does not apply permission and workflow state filtering. This allows an authenticated user with the ability to write untrusted Python code to query the catalog without the usual restrictions that prevent access to expired or unauthorized content [3]. The underlying issue is that the API inherited from CMF/Zope was not properly wrapped to include the same security checks [2].
Exploitation
An attacker must have a Plone account with sufficient privileges to write and execute untrusted Python code (for example, a Site Administrator or a user granted the “Use Python Scripts” permission). By calling the catalog.search() method directly with arbitrary query parameters, the attacker can bypass the allowedRolesAndUsers filter and the effectiveRange filter that normally hides expired content [3][4]. The exploit requires no user interaction beyond the attacker’s own actions, and the attack is performed remotely over the network [1].
Impact
Successful exploitation results in disclosure of sensitive information. The attacker can retrieve cataloged content—including items that are normally hidden due to permission restrictions or workflow state (e.g., unpublished, expired, or private documents)—thereby gaining access to data they should not be able to see [3]. The impact is limited to information disclosure; the attacker cannot modify or delete content through this vulnerability alone.
Mitigation
Plone released a hotfix on 10 December 2013 that patches the CatalogTool to wrap the search() method identically to searchResults(), adding the permission and effective-range filters [4]. Administrators should upgrade to Plone 4.3.3 or apply the hotfix for earlier supported versions. Users on unsupported branches (3.3.x) should upgrade to a supported release. No workaround other than restricting the ability to write Python code is available if the patch cannot be applied immediately.
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
PlonePyPI | >= 3.3b1, < 4.3.3 | 4.3.3 |
Products.CMFPlonePyPI | >= 3.3, < 4.3.3 | 4.3.3 |
Affected products
35cpe:2.3:a:plone:plone:3.3:*:*:*:*:*:*:*+ 32 more
- cpe:2.3:a:plone:plone:3.3:*:*:*:*:*:*:*
- cpe:2.3:a:plone:plone:3.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:plone:plone:3.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:plone:plone:3.3.3:*:*:*:*:*:*:*
- cpe:2.3:a:plone:plone:3.3.4:*:*:*:*:*:*:*
- cpe:2.3:a:plone:plone:3.3.5:*:*:*:*:*:*:*
- cpe:2.3:a:plone:plone:3.3.6:*:*:*:*:*:*:*
- cpe:2.3:a:plone:plone:4.0:*:*:*:*:*:*:*
- cpe:2.3:a:plone:plone:4.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:plone:plone:4.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:plone:plone:4.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:plone:plone:4.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:plone:plone:4.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:plone:plone:4.0.7:*:*:*:*:*:*:*
- cpe:2.3:a:plone:plone:4.0.9:*:*:*:*:*:*:*
- cpe:2.3:a:plone:plone:4.1:*:*:*:*:*:*:*
- cpe:2.3:a:plone:plone:4.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:plone:plone:4.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:plone:plone:4.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:plone:plone:4.1.4:*:*:*:*:*:*:*
- cpe:2.3:a:plone:plone:4.1.5:*:*:*:*:*:*:*
- cpe:2.3:a:plone:plone:4.1.6:*:*:*:*:*:*:*
- cpe:2.3:a:plone:plone:4.2:*:*:*:*:*:*:*
- cpe:2.3:a:plone:plone:4.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:plone:plone:4.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:plone:plone:4.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:plone:plone:4.2.4:*:*:*:*:*:*:*
- cpe:2.3:a:plone:plone:4.2.5:*:*:*:*:*:*:*
- cpe:2.3:a:plone:plone:4.2.6:*:*:*:*:*:*:*
- cpe:2.3:a:plone:plone:4.2.7:*:*:*:*:*:*:*
- cpe:2.3:a:plone:plone:4.3:*:*:*:*:*:*:*
- cpe:2.3:a:plone:plone:4.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:plone:plone:4.3.2:*:*:*:*:*:*:*
- ghsa-coords2 versions
>= 3.3b1, < 4.3.3+ 1 more
- (no CPE)range: >= 3.3b1, < 4.3.3
- (no CPE)range: >= 3.3, < 4.3.3
Patches
1a6a3e50f759dmerge hotfixes
5 files changed · +43 −3
docs/CHANGES.rst+3 −0 modified@@ -8,6 +8,9 @@ Changelog 4.3.3 (unreleased) ------------------ +- merge hotfixes from https://pypi.python.org/pypi/Products.PloneHotfix20131210 + [vangheem] + - handle plone.app.textfield RichTextValue objects in syndication. Should fix syndication with plone.app.contenttypes. [vangheem]
Products/CMFPlone/CatalogTool.py+21 −0 modified@@ -394,6 +394,27 @@ def searchResults(self, REQUEST=None, **kw): __call__ = searchResults + def search(self, *args, **kw): + # Wrap search() the same way that searchResults() is + query = {} + + if args: + query = args[0] + elif 'query_request' in kw: + query = kw.get['query_request'] + + kw['query_request'] = query.copy() + + user = _getAuthenticatedUser(self) + query['allowedRolesAndUsers'] = self._listAllowedRolesAndUsers(user) + + if not _checkPermission(AccessInactivePortalContent, self): + query['effectiveRange'] = DateTime() + + kw['query_request'] = query + + return super(CatalogTool, self).search(**kw) + security.declareProtected(ManageZCatalogEntries, 'clearFindAndRebuild') def clearFindAndRebuild(self): """Empties catalog, then finds all contentish objects (i.e. objects
Products/CMFPlone/FactoryTool.py+1 −0 modified@@ -272,6 +272,7 @@ class FactoryTool(PloneBaseTool, UniqueObject, SimpleItem): f = open(os.path.join(wwwpath, 'portal_factory_docs.stx'), 'r') _docs = f.read() f.close() + del f _docs = stx2html(_docs) security.declarePublic('docs')
Products/CMFPlone/tests/testCatalogTool.py+10 −3 modified@@ -480,10 +480,17 @@ def testSearchIgnoreAccents(self): self.assertEqual(len(self.catalog(SearchableText='Économétrie')), 3) self.assertEqual(len(self.catalog(SearchableText='Econométrie')), 3) self.assertEqual(len(self.catalog(SearchableText='ECONOMETRIE')), 3) - - - + def testSearchIsProtected(self): + self.login() + self.folder.invokeFactory("Document", "sekretz") + self.logout() + catalog = self.portal.portal_catalog + bogus = catalog.search({'portal_type': 'Document'}) + real = catalog.portal_catalog.searchResults(portal_type='Document') + self.assertEqual(len(bogus), len(real)) + + class TestCatalogSorting(PloneTestCase.PloneTestCase): def afterSetUp(self):
Products/CMFPlone/tests/testPortalFactory.py+8 −0 modified@@ -1,4 +1,5 @@ import urlparse +import os from Products.CMFPlone.tests import PloneTestCase from Products.CMFCore.permissions import AddPortalContent @@ -352,3 +353,10 @@ def testBrowserResource(self): path = "%s/++resource++plone-logo.png" % self.tmp_obj_path data = self.publish(path) self.assertEqual(data.getHeader('Content-Type'), 'image/png') + + def testFactoryToolDocsFileNotPublishable(self): + import Products.CMFPlone + res = self.publish('/plone/portal_factory/f') + plone_code = os.path.dirname(Products.CMFPlone.__file__) + + self.assertNotIn(plone_code, res.getBody())
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
9- github.com/advisories/GHSA-4vr8-r7qr-fpvqghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2013-7061ghsaADVISORY
- plone.org/security/20131210/catalogue-exposurenvdVendor AdvisoryWEB
- www.openwall.com/lists/oss-security/2013/12/10/15nvdWEB
- www.openwall.com/lists/oss-security/2013/12/12/3nvdWEB
- github.com/plone/Products.CMFPlone/commit/a6a3e50f759da7e7ca46e50777a35e51f4d8ed48ghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/plone/PYSEC-2014-66.yamlghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/products-cmfplone/PYSEC-2014-68.yamlghsaWEB
- pypi.org/project/Products.PloneHotfix20131210ghsaWEB
News mentions
0No linked articles in our index yet.