Hi all,
Two low-impact security issues have been identified in Products.PluggableAuthService:
-
an information disclosure issue involving the ZODB Role Manager plugin. See Exposure of Sensitive Information to an Unauthorized Actor in Products.PluggableAuthService ZODBRoleManager · Advisory · zopefoundation/Products.PluggableAuthService · GitHub for details.
-
an open redirect issue in the Cookie Auth Helper. See URL Redirection to Untrusted Site ('Open Redirect') in Products.PluggableAuthService · Advisory · zopefoundation/Products.PluggableAuthService · GitHub for details.
Both issues are mitigated by updating to Products.PluggableAuthService version 2.6.1 or higher. The Plone release managers will apply this update with Plone bugfix releases they are planning to publish within the next few days.