{"id":"CVE-2016-4043","details":"Chameleon (five.pt) in Plone 5.0rc1 through 5.1a1 allows remote authenticated users to bypass Restricted Python by leveraging permissions to create or edit templates.","aliases":["GHSA-6h8x-73fx-q2h9","PYSEC-2017-57"],"modified":"2026-07-08T05:48:39.305956179Z","published":"2017-02-24T20:59:00.360Z","database_specific":{"unresolved_ranges":[{"extracted_events":[{"introduced":"5.0"},{"last_affected":"5.0"}],"vendor_product":"plone:plone","cpes":["cpe:2.3:a:plone:plone:5.0:*:*:*:*:*:*:*"],"source":"CPE_STRING"}]},"references":[{"type":"ADVISORY","url":"http://www.openwall.com/lists/oss-security/2016/04/20/3"},{"type":"ADVISORY","url":"https://plone.org/security/hotfix/20160419/bypass-restricted-python"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/plone/plone","events":[{"introduced":"c4244a4887e0901a1c17b3ee60e1cfbe19ee46c5"},{"last_affected":"4d260f76643a633d312b81d568ca5bed57e330e0"}],"database_specific":{"extracted_events":[{"introduced":"5.0"},{"last_affected":"5.0"},{"introduced":"5.0-rc1"},{"last_affected":"5.0-rc1"},{"introduced":"5.0-rc2"},{"last_affected":"5.0-rc2"},{"introduced":"5.0-rc3"},{"last_affected":"5.0-rc3"},{"introduced":"5.0.1"},{"last_affected":"5.0.1"},{"introduced":"5.0.2"},{"last_affected":"5.0.2"},{"introduced":"5.0.3"},{"last_affected":"5.0.3"},{"introduced":"5.0.4"},{"last_affected":"5.0.4"},{"introduced":"5.1a1"},{"last_affected":"5.1a1"}],"cpe":["cpe:2.3:a:plone:plone:5.0:*:*:*:*:*:*:*","cpe:2.3:a:plone:plone:5.0:rc1:*:*:*:*:*:*","cpe:2.3:a:plone:plone:5.0:rc2:*:*:*:*:*:*","cpe:2.3:a:plone:plone:5.0:rc3:*:*:*:*:*:*","cpe:2.3:a:plone:plone:5.0.1:*:*:*:*:*:*:*","cpe:2.3:a:plone:plone:5.0.2:*:*:*:*:*:*:*","cpe:2.3:a:plone:plone:5.0.3:*:*:*:*:*:*:*","cpe:2.3:a:plone:plone:5.0.4:*:*:*:*:*:*:*","cpe:2.3:a:plone:plone:5.1a1:*:*:*:*:*:*:*"],"source":"CPE_STRING"}}],"versions":["5.0","5.0-rc1","5.0-rc2","5.0-rc3","5.0.1","5.0.2","5.0.3","5.0.4","5.1a1","5.1b1","5.1a2"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2016-4043.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/plone/plone.namedfile","events":[{"introduced":"29e22ca1987dcae970b89f39a4479171426bb6bf"},{"last_affected":"49fb6e5b7f97a02402bc12219a9d8e7d04c6e217"}],"database_specific":{"extracted_events":[{"introduced":"5.0.1"},{"last_affected":"5.0.1"},{"introduced":"5.0.2"},{"last_affected":"5.0.2"},{"introduced":"5.0.3"},{"last_affected":"5.0.3"},{"introduced":"5.0.4"},{"last_affected":"5.0.4"}],"cpe":["cpe:2.3:a:plone:plone:5.0.1:*:*:*:*:*:*:*","cpe:2.3:a:plone:plone:5.0.2:*:*:*:*:*:*:*","cpe:2.3:a:plone:plone:5.0.3:*:*:*:*:*:*:*","cpe:2.3:a:plone:plone:5.0.4:*:*:*:*:*:*:*"],"source":"CPE_STRING"}}],"versions":["5.0.1","5.0.2","5.0.3","5.0.4"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2016-4043.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N"}]}