cbcvebase.
CVE-2011-3587
published 2011-10-10

CVE-2011-3587: Unspecified vulnerability in Zope 2.12.x and 2.13.x, as used in Plone 4.0.x through 4.0.9, 4.1, and 4.2 through 4.2a2, allows remote attackers to execute…

PriorityP182critical9.3CVSS 2.0
AVNACMAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
78.55%
99.5th percentile
Unspecified vulnerability in Zope 2.12.x and 2.13.x, as used in Plone 4.0.x through 4.0.9, 4.1, and 4.2 through 4.2a2, allows remote attackers to execute arbitrary commands via vectors related to the p_ class in OFS/misc_.py and the use of Python modules.

Affected

59 ranges· showing 25
VendorProductVersion rangeFixed in
plonecmfeditions
plonecmfeditions
plonecmfeditions
plonecmfeditions
plonecmfeditions
plonecmfeditions
plonecmfeditions
plonecmfeditions
plonecmfeditions
plonecmfeditions
ploneplone
ploneplone
ploneplone
ploneplone
ploneplone
ploneplone
ploneplone
ploneplone
ploneplone
ploneplone
ploneplone
ploneplone
ploneplone
ploneplone
ploneplone>= 4.0 < 4.0.104.0.10

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://PLONE_SITE/p_/webdav/xmltools/minidom/xml/sax/saxutils/os/popen2?cmd=
path/p_/webdav/xmltools/minidom/xml/sax/saxutils/os/popen2
pathOFS/misc_.py
  • Monitor HTTP requests targeting the path /p_/webdav/xmltools/minidom/xml/sax/saxutils/os/popen2 with a 'cmd' query parameter — this is the exact attack vector for CVE-2011-3587 remote command execution on Plone/Zope.
  • The vulnerability is rooted in the p_ class in OFS/misc_.py in Zope 2.12.x and 2.13.x; detection should focus on traversal through the p_ object to reach Python stdlib modules (e.g., os.popen2).
  • Exploitation does not require authentication — anonymous HTTP GET requests with a cmd= parameter to the xmltools traversal path are sufficient for RCE; alert on any such unauthenticated request.
  • Watch for outbound TCP connections from the Zope/Plone process to unexpected hosts/ports (e.g., /dev/tcp/<ip>/<port> shell redirections), which indicate successful exploitation and data exfiltration.
  • ·Only Zope 2.12.x and 2.13.x are vulnerable; Plone installations running other Zope versions are NOT affected. Scope detection rules accordingly.
  • ·The exploit path yields no command output in the HTTP response — blind/out-of-band execution only. Detection must rely on network-level or process-level telemetry rather than HTTP response content.

CVSS provenance

nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
ghsa9.3CRITICAL
osv9.3CRITICAL
vulncheck9.3CRITICAL
vendor_redhat9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.