VYPR

PyPI package

products.cmfplone

pkg:pypi/products.cmfplone

Vulnerabilities (6)

  • CVE-2017-1000482MedJan 3, 2018
    affected < 4.3.17fixed 4.3.17

    A member of the Plone 2.5-5.1rc1 site could set javascript in the home_page property of his profile, and have this executed when a visitor click the home page link on the author page.

  • CVE-2017-1000481MedJan 3, 2018
    affected < 4.3.17fixed 4.3.17

    When you visit a page where you need to login, Plone 2.5-5.1rc1 sends you to the login form with a 'came_from' parameter set to the previous url. After you login, you get redirected to the page you tried to view before. An attacker might try to abuse this by letting you click on

  • CVE-2015-7315MedSep 25, 2017
    affected >= 3.3.0, < 4.3.7fixed 4.3.7

    Plone 3.3.0 through 3.3.6, 4.0.0 through 4.0.10, 4.1.0 through 4.1.6, 4.2.0 through 4.2.7, 4.3.0 through 4.3.6, and 5.0rc1 allows remote attackers to add a new member to a Plone site with registration enabled, without acknowledgment of site administrator.

  • CVE-2013-7061May 2, 2014
    affected >= 3.3, < 4.3.3fixed 4.3.3

    Products/CMFPlone/CatalogTool.py in Plone 3.3 through 4.3.2 allows remote administrators to bypass restrictions and obtain sensitive information via an unspecified search API.

  • CVE-2013-7060May 2, 2014
    affected >= 3.3, < 4.3.3fixed 4.3.3

    Products/CMFPlone/FactoryTool.py in Plone 3.3 through 4.3.2 allows remote attackers to obtain the installation path via vectors related to a file object for unspecified documentation which is initialized in class scope.

  • CVE-2011-1948Jun 6, 2011
    affected < 4.0.7fixed 4.0.7

    Cross-site scripting (XSS) vulnerability in Plone 4.1 and earlier allows remote attackers to inject arbitrary web script or HTML via a crafted URL.