CVE-2024-23756: Insecure HTTP Methods Information Description: The HTTP PUT and DELETE methods are enabled in the Official Docker Plone version 5.2.13 (5221). Versions Affected: 5.2.13 (5221) Version Fixed: latest Researcher: Tomas Castro Rojas (https://www.linkedin.com/in/tomas-castro1337/) Product Link: https://hub.docker.com/_/plone CVE.org Link: https://www.cve.org/CVERecord?id=CVE-2024-23756 Proof-of-Concept Exploit Description The HTTP PUT and DELETE methods are enabled in the Official Docker Plone version 5.2.13 (5221), allowing users to execute dangerous HTTP requests. The HTTP PUT method is normally used to upload data that is saved on the server with a user-supplied URL. While the DELETE method requests that the origin server removes the association between the target resource and its current functionality. Improper use of these methods may lead to a loss of integrity. Usage/Exploitation Download the Plone docker image using: This command will create a local "web application" installation on 127.0.0.1:8080. Refresh the page using a HTTP proxy to intercept the request. At this point, we use the PUT method to upload a file adding the content in the body of the request and use GET to access the file that we just uploaded. We can also delete this file using the HTTP method DELETE, also enabled in Plone. Example Requests Fix Plone fixed this problem by adding the header.