VYPR

PyPI package

plone

pkg:pypi/plone

Vulnerabilities (100)

  • CVE-2012-5491Sep 30, 2014
    affected < 4.2.3fixed 4.2.3

    z3c.form, as used in Plone before 4.2.3 and 4.3 before beta 1, allows remote attackers to obtain the default form field values by leveraging knowledge of the form location and the element id.

  • CVE-2012-5490Sep 30, 2014
    affected < 4.2.3fixed 4.2.3

    Cross-site scripting (XSS) vulnerability in kssdevel.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

  • CVE-2012-5489Sep 30, 2014
    affected >= 3.2.2, < 4.2.3fixed 4.2.3

    The App.Undo.UndoSupport.get_request_var_or_attr function in Zope before 2.12.21 and 3.13.x before 2.13.11, as used in Plone before 4.2.3 and 4.3 before beta 1, allows remote authenticated users to gain access to restricted attributes via unspecified vectors.

  • CVE-2012-5488Sep 30, 2014
    affected < 4.2.3fixed 4.2.3

    python_scripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via a crafted URL, related to createObject.

  • CVE-2012-5487Sep 30, 2014
    affected < 4.2.3fixed 4.2.3

    The sandbox whitelisting function (allowmodule.py) in Plone before 4.2.3 and 4.3 before beta 1 allows remote authenticated users with certain privileges to bypass the Python sandbox restriction and execute arbitrary Python code via vectors related to importing.

  • CVE-2012-5486Sep 30, 2014
    affected >= 3.3.2, < 4.2.3fixed 4.2.3

    ZPublisher.HTTPRequest._scrubHeader in Zope 2 before 2.13.19, as used in Plone before 4.3 beta 1, allows remote attackers to inject arbitrary HTTP headers via a linefeed (LF) character.

  • CVE-2012-5485Sep 30, 2014
    affected < 4.2.3fixed 4.2.3

    registerConfiglet.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via unspecified vectors, related to the admin interface.

  • CVE-2013-7061May 2, 2014
    affected >= 3.3b1, < 4.3.3fixed 4.3.3

    Products/CMFPlone/CatalogTool.py in Plone 3.3 through 4.3.2 allows remote administrators to bypass restrictions and obtain sensitive information via an unspecified search API.

  • CVE-2013-7060May 2, 2014
    affected >= 3.3, < 4.3.3fixed 4.3.3

    Products/CMFPlone/FactoryTool.py in Plone 3.3 through 4.3.2 allows remote attackers to obtain the installation path via vectors related to a file object for unspecified documentation which is initialized in class scope.

  • CVE-2013-4199Mar 11, 2014
    affected >= 4.3, < 4.3.2fixed 4.3.2

    (1) cb_decode.py and (2) linkintegrity.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 allow remote authenticated users to cause a denial of service (resource consumption) via a large zip archive, which is expanded (decompressed).

  • CVE-2013-4198Mar 11, 2014
    affected >= 2.1, <= 4.1

    mail_password.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 allows remote authenticated users to bypass the prohibition on password changes via the forgotten password email functionality.

  • CVE-2013-4197Mar 11, 2014
    affected >= 2.1, < 4.1.1fixed 4.1.1

    member_portrait.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 allows remote authenticated users to modify or delete portraits of other users via unspecified vectors.

  • CVE-2013-4196Mar 11, 2014
    affected >= 2.1, < 4.1.1fixed 4.1.1

    The object manager implementation (objectmanager.py) in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 does not properly restrict access to internal methods, which allows remote attackers to obtain sensitive information via a crafted request.

  • CVE-2013-4195Mar 11, 2014
    affected >= 2.1, < 4.1.1fixed 4.1.1

    Multiple open redirect vulnerabilities in (1) marmoset_patch.py, (2) publish.py, and (3) principiaredirect.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via un

  • CVE-2013-4194Mar 11, 2014
    affected >= 2.1, < 4.1.1fixed 4.1.1

    The WYSIWYG component (wysiwyg.py) in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 allows remote attackers to obtain sensitive information via a crafted URL, which reveals the installation path in an error message.

  • CVE-2013-4193Mar 11, 2014
    affected >= 2.1, < 4.1.1fixed 4.1.1

    typeswidget.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 does not properly enforce the immutable setting on unspecified content edit forms, which allows remote attackers to hide fields on the forms via a crafted URL.

  • CVE-2013-4192Mar 11, 2014
    affected >= 2.1, < 4.1.1fixed 4.1.1

    sendto.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 allows remote authenticated users to spoof emails via unspecified vectors.

  • CVE-2013-4191Mar 11, 2014
    affected >= 2.1, < 4.1.1fixed 4.1.1

    zip.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 does not properly enforce access restrictions when including content in a zip archive, which allows remote attackers to obtain sensitive information by reading a generated archive.

  • CVE-2013-4190Mar 11, 2014
    affected >= 2.1, < 4.1.1fixed 4.1.1

    Multiple cross-site scripting (XSS) vulnerabilities in (1) spamProtect.py, (2) pts.py, and (3) request.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.

  • CVE-2013-4189Mar 11, 2014
    affected >= 2.1, <= 4.1

    Multiple unspecified vulnerabilities in (1) dataitems.py, (2) get.py, and (3) traverseName.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 allow remote authenticated users with administrator access to a subtree to access nodes above the subtree via unkno

Page 4 of 5