April 28, 2011

13% of Plone sites running without security hotfix for CVE-2011-0720

CVE-2011-0720 hotfix not installed on a huge number of public Plone sites.

The hotfix for CVE-2011-0720 is now out for almost three months. Three months should be long enough for every responsible administrator for applying the hotfix.

However a quick check of 2300 Plone sites revealed that still 13% of the checked sites are running without protection.

13% = more than 300 unpatched and vulnerable sites. Of course there are many more Plone sites on the net but the number is likely representative for the other sites.

Every administrator or persons in charge for a public site should really check CVE-2011-0720 once again or give notice to the responsible persons for applying the patch.

Unpatched systems are bad for the security record of Plone and the public recognition as a secure CMS.