plone is vulnerable to sandbox escape. It is possible to access private content via str.format
in through-the-web templates and scripts. str.format
, Python’s new-style string format introduced in 2.6, causes the security issue on untrusted user input. If an attacker can control the string format string, he can access potentially internal attributes of objects. It can be exploited to bypass the Jinja2 Sandbox in a way that would permit retrieving information that attackers should not have access to.