{"id":"PYSEC-2008-14","details":"Multiple cross-site request forgery (CSRF) vulnerabilities in Plone CMS 3.0.5 and 3.0.6 allow remote attackers to (1) add arbitrary accounts via the join_form page and (2) change the privileges of arbitrary groups via the prefs_groups_overview page.","aliases":["CVE-2008-0164","GHSA-4j3w-g62x-hrcp","PYSEC-2008-15"],"modified":"2026-05-20T08:11:20.457388316Z","published":"2008-03-20T00:44:00Z","references":[{"type":"ADVISORY","url":"http://plone.org/about/security/advisories/cve-2008-0164"},{"type":"EVIDENCE","url":"http://www.procheckup.com/Hacking_Plone_CMS.pdf"},{"type":"ADVISORY","url":"http://secunia.com/advisories/29361"},{"type":"WEB","url":"http://securityreason.com/securityalert/3754"},{"type":"WEB","url":"https://exchange.xforce.ibmcloud.com/vulnerabilities/41263"},{"type":"WEB","url":"http://www.securityfocus.com/archive/1/489544/100/0/threaded"}],"affected":[{"package":{"name":"plone","ecosystem":"PyPI","purl":"pkg:pypi/plone"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"3.1"}]}],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/plone/PYSEC-2008-14.yaml"}}],"schema_version":"1.7.3"}