PyPI package
products.cmfplone
pkg:pypi/products.cmfplone
Vulnerabilities (6)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2017-1000482 | Med | 5.4 | < 4.3.17 | 4.3.17 | Jan 3, 2018 | A member of the Plone 2.5-5.1rc1 site could set javascript in the home_page property of his profile, and have this executed when a visitor click the home page link on the author page. | |
| CVE-2017-1000481 | Med | 6.1 | < 4.3.17 | 4.3.17 | Jan 3, 2018 | When you visit a page where you need to login, Plone 2.5-5.1rc1 sends you to the login form with a 'came_from' parameter set to the previous url. After you login, you get redirected to the page you tried to view before. An attacker might try to abuse this by letting you click on | |
| CVE-2015-7315 | Med | 5.9 | >= 3.3.0, < 4.3.7 | 4.3.7 | Sep 25, 2017 | Plone 3.3.0 through 3.3.6, 4.0.0 through 4.0.10, 4.1.0 through 4.1.6, 4.2.0 through 4.2.7, 4.3.0 through 4.3.6, and 5.0rc1 allows remote attackers to add a new member to a Plone site with registration enabled, without acknowledgment of site administrator. | |
| CVE-2013-7061 | — | >= 3.3, < 4.3.3 | 4.3.3 | May 2, 2014 | Products/CMFPlone/CatalogTool.py in Plone 3.3 through 4.3.2 allows remote administrators to bypass restrictions and obtain sensitive information via an unspecified search API. | ||
| CVE-2013-7060 | — | >= 3.3, < 4.3.3 | 4.3.3 | May 2, 2014 | Products/CMFPlone/FactoryTool.py in Plone 3.3 through 4.3.2 allows remote attackers to obtain the installation path via vectors related to a file object for unspecified documentation which is initialized in class scope. | ||
| CVE-2011-1948 | — | < 4.0.7 | 4.0.7 | Jun 6, 2011 | Cross-site scripting (XSS) vulnerability in Plone 4.1 and earlier allows remote attackers to inject arbitrary web script or HTML via a crafted URL. |
- affected < 4.3.17fixed 4.3.17
A member of the Plone 2.5-5.1rc1 site could set javascript in the home_page property of his profile, and have this executed when a visitor click the home page link on the author page.
- affected < 4.3.17fixed 4.3.17
When you visit a page where you need to login, Plone 2.5-5.1rc1 sends you to the login form with a 'came_from' parameter set to the previous url. After you login, you get redirected to the page you tried to view before. An attacker might try to abuse this by letting you click on
- affected >= 3.3.0, < 4.3.7fixed 4.3.7
Plone 3.3.0 through 3.3.6, 4.0.0 through 4.0.10, 4.1.0 through 4.1.6, 4.2.0 through 4.2.7, 4.3.0 through 4.3.6, and 5.0rc1 allows remote attackers to add a new member to a Plone site with registration enabled, without acknowledgment of site administrator.
- CVE-2013-7061May 2, 2014affected >= 3.3, < 4.3.3fixed 4.3.3
Products/CMFPlone/CatalogTool.py in Plone 3.3 through 4.3.2 allows remote administrators to bypass restrictions and obtain sensitive information via an unspecified search API.
- CVE-2013-7060May 2, 2014affected >= 3.3, < 4.3.3fixed 4.3.3
Products/CMFPlone/FactoryTool.py in Plone 3.3 through 4.3.2 allows remote attackers to obtain the installation path via vectors related to a file object for unspecified documentation which is initialized in class scope.
- CVE-2011-1948Jun 6, 2011affected < 4.0.7fixed 4.0.7
Cross-site scripting (XSS) vulnerability in Plone 4.1 and earlier allows remote attackers to inject arbitrary web script or HTML via a crafted URL.