Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN671
_____________________________________________________________________

DATE                : 25/06/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running plone.app.portlets (pip) versions
                                prior to 7.0.2, 6.0.4, 5.0.8,
                       plone.app.event (pip) versions prior to 5.2.4,
                                          6.0.1,
                       plone.app.contenttypes (pip) versions prior
                                  to 5.0.1, 4.0.10, 3.0.12,
                         plone.app.dexterity versions prior to 5.0.1,
                                       4.1.3, 3.2.3,
                           icalendar versions prior to 7.1.3,
                           RestrictedPython versions prior to 8.3.
 
=====================================================================
https://plone.org/security/announcements/plone-security-advisory-20260623
_____________________________________________________________________

Plone security advisory 20260623

Various vulnerabilities, including Remote Code Execution and Denial
of Service

On behalf of the Plone/Zope Security Team I announce several
vulnerability fixes.

    Remote Code Execution via TALES Injection, severity 9.9 critical
    Denial of service via iCalendar import, severity 9.1 critical
    Denial of service via RSS feed portlet, severity 9.1 critical
    Denial of Service due to excessive title/description/filename
length, severity 6.5 moderate. This has fixes in two packages:
        plone.app.dexterity
        plone.app.contenttypes

Two others were already made public recently, we list them here for
good measure: icalendarand RestrictedPython.

Some are only a vulnerability on Classic UI (for example, Volto has
no portlets), but others are a vulnerability on Volto as well.

All these combined, you should update your Plone sites to the
following versions (formatted as pip constraints here):

Plone 6.2:

icalendar==7.1.3
plone.app.contenttypes==5.0.1
plone.app.dexterity==5.0.1
plone.app.event==6.0.1
plone.app.portlets==7.0.2
RestrictedPython==8.3

Plone 6.1:

plone.app.contenttypes==4.0.10
plone.app.dexterity==4.1.3
plone.app.event==5.2.4
plone.app.portlets==6.0.4
RestrictedPython==8.3

Plone 6.0:

plone.app.contenttypes==3.0.12
plone.app.dexterity==3.2.3
plone.app.event==5.2.4
plone.app.portlets==5.0.8
RestrictedPython==8.3; python_version > '3.10'

You may want to check if you have already applied the
plone.app.textfield and plone.restapi fixes from the
June 5 announcement.

If you think a security issue was incompletely solved, please
contact the Plone/Zope Security Team via email at
security@plone.org.

If these versions cause other problems, you can comment on the
community forum announcement, or open an issue in the
Products.CMFPlone tracker. Please check if anything was
reported already.

=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================