Skip to main content

Use of Externally-Controlled Format String


Severity Medium
Score 6.5/10


An attacker can access private content via Python's str.format vulnerability in through-the-web templates and scripts in Plone. This improves an earlier hotfix. Since the format method was introduced in Python 2.6, this part of the hotfix is only relevant for Plone 4 and 5.

  • LOW
  • NONE
  • NONE
  • LOW
  • HIGH
  • NONE

CWE-134 - Use of Externally-Controlled Format String

The software uses a function that accepts a format string as an argument, but the format string originates from an external source.

Advisory Timeline

  • Published