CVE-2011-3587
published 2011-10-10CVE-2011-3587: Unspecified vulnerability in Zope 2.12.x and 2.13.x, as used in Plone 4.0.x through 4.0.9, 4.1, and 4.2 through 4.2a2, allows remote attackers to execute…
PriorityP182critical9.3CVSS 2.0
AVNACMAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
78.55%
99.5th percentile
Unspecified vulnerability in Zope 2.12.x and 2.13.x, as used in Plone 4.0.x through 4.0.9, 4.1, and 4.2 through 4.2a2, allows remote attackers to execute arbitrary commands via vectors related to the p_ class in OFS/misc_.py and the use of Python modules.
Affected
59 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| plone | cmfeditions | — | — |
| plone | cmfeditions | — | — |
| plone | cmfeditions | — | — |
| plone | cmfeditions | — | — |
| plone | cmfeditions | — | — |
| plone | cmfeditions | — | — |
| plone | cmfeditions | — | — |
| plone | cmfeditions | — | — |
| plone | cmfeditions | — | — |
| plone | cmfeditions | — | — |
| plone | plone | — | — |
| plone | plone | — | — |
| plone | plone | — | — |
| plone | plone | — | — |
| plone | plone | — | — |
| plone | plone | — | — |
| plone | plone | — | — |
| plone | plone | — | — |
| plone | plone | — | — |
| plone | plone | — | — |
| plone | plone | — | — |
| plone | plone | — | — |
| plone | plone | — | — |
| plone | plone | — | — |
| plone | plone | >= 4.0 < 4.0.10 | 4.0.10 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor HTTP requests targeting the path /p_/webdav/xmltools/minidom/xml/sax/saxutils/os/popen2 with a 'cmd' query parameter — this is the exact attack vector for CVE-2011-3587 remote command execution on Plone/Zope. ↗
- →The vulnerability is rooted in the p_ class in OFS/misc_.py in Zope 2.12.x and 2.13.x; detection should focus on traversal through the p_ object to reach Python stdlib modules (e.g., os.popen2). ↗
- →Exploitation does not require authentication — anonymous HTTP GET requests with a cmd= parameter to the xmltools traversal path are sufficient for RCE; alert on any such unauthenticated request. ↗
- →Watch for outbound TCP connections from the Zope/Plone process to unexpected hosts/ports (e.g., /dev/tcp/<ip>/<port> shell redirections), which indicate successful exploitation and data exfiltration. ↗
- ·Only Zope 2.12.x and 2.13.x are vulnerable; Plone installations running other Zope versions are NOT affected. Scope detection rules accordingly. ↗
- ·The exploit path yields no command output in the HTTP response — blind/out-of-band execution only. Detection must rely on network-level or process-level telemetry rather than HTTP response content. ↗
CVSS provenance
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
ghsa9.3CRITICAL
osv9.3CRITICAL
vulncheck9.3CRITICAL
vendor_redhat9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
plone: Sub-objects access via unspecified vectors
vendor_redhat·2011-10-04·CVSS 9.3
CVE-2011-4030 [CRITICAL] plone: Sub-objects access via unspecified vectors
plone: Sub-objects access via unspecified vectors
The CMFEditions component 2.x in Plone 4.0.x through 4.0.9, 4.1, and 4.2 through 4.2a2 does not prevent the KwAsAttributes classes from being publishable, which allows remote attackers to access sub-objects via unspecified vectors, a different vulnerability than CVE-2011-3587.
Statement: Not vulnerable. This issue did not affect the versions of conga as shipped with Red Hat Cluster Suite for Red Hat Enterprise Linux 4 and as shipped with Red Hat Enterprise Linux 5 as they did not include support for CMFEditions.
Package: conga (Red Hat Enterprise Linux 5) - Not affected
Red Hat
zope: Unspecified vulnerability in Zope v2.12.x and Zope v2.13.x allowing arbitrary code execution
vendor_redhat·2011-09-28·CVSS 9.3
CVE-2011-3587 [CRITICAL] zope: Unspecified vulnerability in Zope v2.12.x and Zope v2.13.x allowing arbitrary code execution
zope: Unspecified vulnerability in Zope v2.12.x and Zope v2.13.x allowing arbitrary code execution
Unspecified vulnerability in Zope 2.12.x and 2.13.x, as used in Plone 4.0.x through 4.0.9, 4.1, and 4.2 through 4.2a2, allows remote attackers to execute arbitrary commands via vectors related to the p_ class in OFS/misc_.py and the use of Python modules.
Statement: Not vulnerable. This issue did not affect the versions of conga as
shipped with Red Hat Cluster Suite for Red Hat Enterprise Linux 4 and 5.
OSV
Plone anonymous access to sub-objects in CMFEditions where KwAsAttributes classes were publishable
osv·2022-05-17·CVSS 9.3
CVE-2011-4030 [CRITICAL] Plone anonymous access to sub-objects in CMFEditions where KwAsAttributes classes were publishable
Plone anonymous access to sub-objects in CMFEditions where KwAsAttributes classes were publishable
The CMFEditions component 2.x in Plone 4.0.x through 4.0.9, 4.1, and 4.2 through 4.2a2 does not prevent the KwAsAttributes classes from being publishable, which allows remote attackers to access sub-objects via unspecified vectors, a different vulnerability than CVE-2011-3587.
GHSA
Zope Command Execution Vulnerability
ghsa·2022-05-17
CVE-2011-3587 [HIGH] Zope Command Execution Vulnerability
Zope Command Execution Vulnerability
Unspecified vulnerability in Zope 2.12.x and 2.13.x, as used in Plone 4.0.x through 4.0.9, 4.1, and 4.2 through 4.2a2, allows remote attackers to execute arbitrary commands via vectors related to the `p_` class in `OFS/misc_.py` and the use of Python modules.
OSV
Zope Command Execution Vulnerability
osv·2022-05-17
CVE-2011-3587 [HIGH] Zope Command Execution Vulnerability
Zope Command Execution Vulnerability
Unspecified vulnerability in Zope 2.12.x and 2.13.x, as used in Plone 4.0.x through 4.0.9, 4.1, and 4.2 through 4.2a2, allows remote attackers to execute arbitrary commands via vectors related to the `p_` class in `OFS/misc_.py` and the use of Python modules.
GHSA
Plone anonymous access to sub-objects in CMFEditions where KwAsAttributes classes were publishable
ghsa·2022-05-17·CVSS 9.3
CVE-2011-4030 [CRITICAL] Plone anonymous access to sub-objects in CMFEditions where KwAsAttributes classes were publishable
Plone anonymous access to sub-objects in CMFEditions where KwAsAttributes classes were publishable
The CMFEditions component 2.x in Plone 4.0.x through 4.0.9, 4.1, and 4.2 through 4.2a2 does not prevent the KwAsAttributes classes from being publishable, which allows remote attackers to access sub-objects via unspecified vectors, a different vulnerability than CVE-2011-3587.
OSV
CVE-2011-3587: The CMFEditions component 2
osv·2011-10-10·CVSS 9.3
CVE-2011-3587 [CRITICAL] CVE-2011-3587: The CMFEditions component 2
The CMFEditions component 2.x in Plone 4.0.x through 4.0.9, 4.1, and 4.2 through 4.2a2 does not prevent the KwAsAttributes classes from being publishable, which allows remote attackers to access sub-objects via unspecified vectors, a different vulnerability than CVE-2011-3587.
VulnCheck
Zope 2.12.x and 2.13.x Remote Code Execution
vulncheck·2011·CVSS 9.3
CVE-2011-3587 [CRITICAL] Zope 2.12.x and 2.13.x Remote Code Execution
Zope 2.12.x and 2.13.x Remote Code Execution
Unspecified vulnerability in Zope 2.12.x and 2.13.x, as used in Plone 4.0.x through 4.0.9, 4.1, and 4.2 through 4.2a2, allows remote attackers to execute arbitrary commands via vectors related to the p_ class in OFS/misc_.py and the use of Python modules.
Affected: plone plone
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://unit42.paloaltonetworks.com/iot-vulnerabilities-mirai-payloads/; https://www.researchgate.net/publication/348602660_An_analysis_of_the_use_of_CVEs_by_IoT_malware
No detection rules found.
Exploit-DB
Plone and Zope - Remote Command Execution
exploitdb·2011-12-21·CVSS 9.3
CVE-2011-3587 [CRITICAL] Plone and Zope - Remote Command Execution
Plone and Zope - Remote Command Execution
---
# Exploit Title: Plone - Remote Command Execution
# Date: 12/21/2011
# Author: Nick Miles (www.npenetrable.com)
# Tested on: 12/21/2011
# CVE : CVE-2011-3587
Versions Affected (without hotfix): Plone 4.0 (through 4.0.9); Plone
4.1; Plone 4.2 (a1 and a2); Zope 2.12.x and Zope 2.13.x.
Versions Not Affected: Versions of Plone that use Zope other than Zope
2.12.x and Zope 2.13.x.
Advisory/Hotfix: http://plone.org/products/plone/security/advisories/20110928
You can execute any command on the remote Plone server with the
following request
if the server is Unix/Linux based (Note: you won't get returned the
results of the command):
http://PLONE_SITE/p_/webdav/xmltools/minidom/xml/sax/saxutils/os/popen2?cmd=
Example:
Listen for a connection:
$ n
Metasploit
Plone and Zope XMLTools Remote Command Execution
metasploit
Plone and Zope XMLTools Remote Command Execution
Plone and Zope XMLTools Remote Command Execution
Unspecified vulnerability in Zope 2.12.x and 2.13.x, as used in Plone 4.0.x through 4.0.9, 4.1, and 4.2 through 4.2a2, allows remote attackers to execute arbitrary commands via vectors related to the p_ class in OFS/misc_.py and the use of Python modules.
Unit42
Two New IoT Vulnerabilities Identified with Mirai Payloads
blogs_unit42·2020-10-14
Two New IoT Vulnerabilities Identified with Mirai Payloads
Threat Research Center
Threat Research
Vulnerabilities
## Two New IoT Vulnerabilities Identified with Mirai Payloads
Ken Hsu
Yue Guan
Vaibhav Singhal
Qi Deng
Published: October 14, 2020
Threat Research
Vulnerabilities
IoT
Mirai
## Executive Summary
Palo Alto Networks is proactively trying to safeguard its customers from attacks however possible. By leveraging its Next-Generation Firewall as sensors on the perimeter to detect malicious payloads and attack patterns, Unit 42 researchers are able to hunt down the menaces out there on the network, be they known or not.
Unit 42 researchers have taken a closer look at four Mirai variants from two recently discovered campaigns leveraging command injection vulnerability exploits that reveal a familiar IoT attack pattern.
While t
Unit42
Two New IoT Vulnerabilities Identified with Mirai Payloads
blogs_unit42·2020-10-14
Two New IoT Vulnerabilities Identified with Mirai Payloads
## Executive Summary
Palo Alto Networks is proactively trying to safeguard its customers from attacks however possible. By leveraging its Next-Generation Firewall as sensors on the perimeter to detect malicious payloads and attack patterns, Unit 42 researchers are able to hunt down the menaces out there on the network, be they known or not.
Unit 42 researchers have taken a closer look at four Mirai variants from two recently discovered campaigns leveraging command injection vulnerability exploits that reveal a familiar IoT attack pattern.
While this generic approach allows researchers to observe the entire killchain and even acquire the malware binary from the attack, this post-exploitation heuristic does have its caveat: the traffic fingerprinting. Similar services yield similar traffi
Unit42
Mirai Variant ECHOBOT Resurfaces with 13 Previously Unexploited Vulnerabilities
blogs_unit42·2019-12-13
Mirai Variant ECHOBOT Resurfaces with 13 Previously Unexploited Vulnerabilities
Threat Research Center
Threat Research
Malware
## Mirai Variant ECHOBOT Resurfaces with 13 Previously Unexploited Vulnerabilities
Ruchna Nigam
Published: December 13, 2019
Malware
Threat Research
Vulnerabilities
Echobot
IoT
IoT Vulnerability
Mirai
Mirai variant
## Executive Summary
Since the discovery of the Mirai variant using the binary name ECHOBOT in May 2019, it has resurfaced from time to time, using new infrastructure, and more remarkably, adding to the list of vulnerabilities it scans for, as a means to increase its attack surface with each evolution.
Unlike other Mirai variants, this particular variant stands out for the sheer number of exploits it incorporates, with the latest version having a total of 71 unique exploits, 13 of which haven’t been seen exploite
Unit42
Mirai Variant ECHOBOT Resurfaces with 13 Previously Unexploited Vulnerabilities
blogs_unit42·2019-12-13
Mirai Variant ECHOBOT Resurfaces with 13 Previously Unexploited Vulnerabilities
## Executive Summary
Since the discovery of the Mirai variant using the binary name ECHOBOT in May 2019, it has resurfaced from time to time, using new infrastructure, and more remarkably, adding to the list of vulnerabilities it scans for, as a means to increase its attack surface with each evolution.
Unlike other Mirai variants, this particular variant stands out for the sheer number of exploits it incorporates, with the latest version having a total of 71 unique exploits, 13 of which haven’t been seen exploited in the wild until now, ranging from extremely old CVEs from as long back as 2003, to recent vulnerabilities made public as recently as early December 2019. Based on this seemingly odd choice, one could risk a guess that the attackers could potentially be aiming for the sweet sp
Bugzilla
CVE-2011-4030 plone: Sub-objects access via unspecified vectors
bugzilla·2011-10-10·CVSS 9.3
CVE-2011-4030 [CRITICAL] CVE-2011-4030 plone: Sub-objects access via unspecified vectors
CVE-2011-4030 plone: Sub-objects access via unspecified vectors
Common Vulnerabilities and Exposures assigned an identifier CVE-2011-4030 to
the following vulnerability:
The CMFEditions component 2.x in Plone 4.0.x through 4.0.9, 4.1, and
4.2 through 4.2a2 does not prevent the KwAsAttributes classes from
being publishable, which allows remote attackers to access sub-objects
via unspecified vectors, a different vulnerability than CVE-2011-3587.
References:
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4030
[2] http://plone.org/products/plone-hotfix/releases/20110928
[3] http://plone.org/products/plone-hotfix/releases/20110928/PloneHotfix20110928-1.0.zip
[4] http://pypi.python.org/pypi/Products.PloneHotfix20110928/1.0
Discussion:
This issue did NOT affect the versions of th
Bugzilla
CVE-2011-3587 zope: Unspecified vulnerability in Zope v2.12.x and Zope v2.13.x allowing arbitrary code execution
bugzilla·2011-09-29·CVSS 9.3
CVE-2011-3587 [CRITICAL] CVE-2011-3587 zope: Unspecified vulnerability in Zope v2.12.x and Zope v2.13.x allowing arbitrary code execution
CVE-2011-3587 zope: Unspecified vulnerability in Zope v2.12.x and Zope v2.13.x allowing arbitrary code execution
Plone upstream has published a pre-announcement about a security flaw, present in Zope v2.12.x and Zope v2.13.x, which could allow execution of arbitrary code by anonymous users. An authenticated attacker could provide a specially-crafted web page, which once visited by an unsuspecting Zope user would lead to arbitrary commands execution with the privileges of the Zope/Plone service.
References:
[1] http://plone.org/products/plone/security/advisories/20110928
[2] http://secunia.com/advisories/46221/
Note: The vendor announced the final version of the advisory and
the patch to be available at 2011-10-04 15:00 UTC at the
following location:
[3] http://plone.org/products/plone/s
http://plone.org/products/plone-hotfix/releases/20110928http://plone.org/products/plone-hotfix/releases/20110928/PloneHotfix20110928-1.0.ziphttp://plone.org/products/plone/security/advisories/20110928http://pypi.python.org/pypi/Products.PloneHotfix20110928/1.0http://secunia.com/advisories/46221http://secunia.com/advisories/46323http://zope2.zope.org/news/security-vulnerability-announcement-cve-2011-3587https://bugzilla.redhat.com/show_bug.cgi?id=742297http://plone.org/products/plone-hotfix/releases/20110928http://plone.org/products/plone-hotfix/releases/20110928/PloneHotfix20110928-1.0.ziphttp://plone.org/products/plone/security/advisories/20110928http://pypi.python.org/pypi/Products.PloneHotfix20110928/1.0http://secunia.com/advisories/46221http://secunia.com/advisories/46323http://zope2.zope.org/news/security-vulnerability-announcement-cve-2011-3587https://bugzilla.redhat.com/show_bug.cgi?id=742297
2011-10-10
Published
Exploited in the wild