Security vulnerability pre-announcement: 20151208

This is a pre-announcement of availability of this security fix.

CVE numbers not yet issued.

Versions Affected: All supported Plone versions.

Versions Not Affected: None.

The patch will be released on Tuesday, December 8, 2015 (2015-12-08) at 15:00 UTC.

I'd like to know if I need to schedule time and people to deploy this the moment this is released.

Is this a fix for remote escalation of privileges, or alike the previous security update which only fixed CSRF?
Can we get a general indication of severity and impact, or is this unknown at the moment?


Impact can depend a little on what you're doing. The patch will address unauthorized disclosure of registered user information.

Thanks, much appreciated!

Patch has been released at