Plone

pypi: plone

Source repositories

https://github.com/plone/Products.CMFPlone

CVEs (77)

CVE	Vendor / Product	Sev	Risk	CVSS	EPSS	Published	Description
CVE-2015-7293	Zope Zope Management Interface	Hig	0.60	8.8	0.03	Sep 25, 2017	Multiple cross-site request forgery (CSRF) vulnerabilities in Zope Management Interface 4.3.7 and earlier, and Plone before 5.x.
CVE-2015-7318	Plone (software) Plone	Hig	0.49	7.5	0.02	Sep 25, 2017	Plone 3.3.0 through 3.3.6 allows remote attackers to inject headers into HTTP responses.
CVE-2016-4041	Plone (software) Plone	Hig	0.48	7.3	0.01	Feb 24, 2017	Plone 4.0 through 5.1a1 does not have security declarations for Dexterity content-related WebDAV requests, which allows remote attackers to gain webdav access via unspecified vectors.
CVE-2015-7317	Kupu Kupu	Med	0.44	6.8	0.02	Sep 25, 2017	Kupu 3.3.0 through 3.3.6, 4.0.0 through 4.0.10, 4.1.0 through 4.1.6, and 4.2.0 through 4.2.7 allows remote authenticated users to edit Kupu settings.
CVE-2016-7140	Plone (software) Plone	Med	0.40	6.1	0.02	Mar 7, 2017	Multiple cross-site scripting (XSS) vulnerabilities in the ZMI page in Zope2 in Plone CMS 5.x through 5.0.6, 4.x through 4.3.11, and 3.3.x through 3.3.6 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2016-7139	Plone (software) Plone	Med	0.40	6.1	0.02	Mar 7, 2017	Cross-site scripting (XSS) vulnerability in an unspecified page template in Plone CMS 5.x through 5.0.6, 4.x through 4.3.11, and 3.3.x through 3.3.6 allows remote attackers to inject arbitrary web script or HTML via unknown vectors.
CVE-2016-7138	Plone (software) Plone	Med	0.40	6.1	0.02	Mar 7, 2017	Cross-site scripting (XSS) vulnerability in the URL checking infrastructure in Plone CMS 5.x through 5.0.6, 4.x through 4.3.11, and 3.3.x through 3.3.6 allows remote attackers to inject arbitrary web script or HTML via a crafted URL.
CVE-2016-7137	Plone (software) Plone	Med	0.40	6.1	0.02	Mar 7, 2017	Multiple open redirect vulnerabilities in Plone CMS 5.x through 5.0.6, 4.x through 4.3.11, and 3.3.x through 3.3.6 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the referer parameter to (1)…
CVE-2016-7136	Plone (software) Plone	Med	0.40	6.1	0.02	Mar 7, 2017	z3c.form in Plone CMS 5.x through 5.0.6 and 4.x through 4.3.11 allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted GET request.
CVE-2016-7147	Plone (software) Plone	Med	0.40	6.1	0.01	Feb 4, 2017	Cross-site scripting (XSS) vulnerability in the manage_findResult component in the search feature in Zope ZMI in Plone before 4.3.12 and 5.x before 5.0.7 allows remote attackers to inject arbitrary web script or HTML via vectors involving double quotes, as demonstrated by the…
CVE-2016-4042	Plone (software) Plone	Med	0.35	5.3	0.01	Feb 24, 2017	Plone 3.3 through 5.1a1 allows remote attackers to obtain information about the ID of sensitive content via unspecified vectors.
CVE-2015-7316	Plone (software) Plone	Med	0.33	6.1	0.01	Sep 25, 2017	Cross-site scripting (XSS) vulnerability in Plone 3.3.0 through 3.3.6, 4.0.0 through 4.0.10, 4.1.0 through 4.1.6, 4.2.0 through 4.2.7, 4.3.x before 4.3.7, and 5.0rc1.
CVE-2015-7315	Plone (software) Plone	Med	0.32	5.9	0.02	Sep 25, 2017	Plone 3.3.0 through 3.3.6, 4.0.0 through 4.0.10, 4.1.0 through 4.1.6, 4.2.0 through 4.2.7, 4.3.0 through 4.3.6, and 5.0rc1 allows remote attackers to add a new member to a Plone site with registration enabled, without acknowledgment of site administrator.
CVE-2016-7135	Plone (software) Plone	Med	0.32	4.9	0.03	Mar 7, 2017	Directory traversal vulnerability in Plone CMS 5.x through 5.0.6 and 4.2.x through 4.3.11 allows remote administrators to read arbitrary files via a .. (dot dot) in the path parameter in a getFile action to Plone/++theme++barceloneta/@@plone.resourceeditor.filemanager-actions.
CVE-2016-4043	Plone (software) Plone	Med	0.32	4.9	0.01	Feb 24, 2017	Chameleon (five.pt) in Plone 5.0rc1 through 5.1a1 allows remote authenticated users to bypass Restricted Python by leveraging permissions to create or edit templates.
CVE-2017-5524	Plone (software) Plone	Med	0.21	4.3	0.01	Mar 23, 2017	Plone 4.x through 4.3.11 and 5.x through 5.0.6 allow remote attackers to bypass a sandbox protection mechanism and obtain sensitive information by leveraging the Python string format method.
CVE-2013-4200	Plone (software) Plone		0.03	—	0.02	Jan 21, 2014	The isURLInPortal method in the URLTool class in in_portal.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 treats URLs starting with a space as a relative URL, which allows remote attackers to bypass the allow_external_login_sites filtering property, …
CVE-2006-1711	Plone (software) Plone		0.03	—	0.04	Apr 11, 2006	Plone 2.0.5, 2.1.2, and 2.5-beta1 does not restrict access to the (1) changeMemberPortrait, (2) deletePersonalPortrait, and (3) testCurrentPassword methods, which allows remote attackers to modify portraits.
CVE-2011-3587	Zope Zope		0.02	—	0.79	Oct 10, 2011	Unspecified vulnerability in Zope 2.12.x and 2.13.x, as used in Plone 4.0.x through 4.0.9, 4.1, and 4.2 through 4.2a2, allows remote attackers to execute arbitrary commands via vectors related to the p_ class in OFS/misc_.py and the use of Python modules.
CVE-2024-23756	Plone (software) Plone		0.00	—	0.01	Feb 8, 2024	The HTTP PUT and DELETE methods are enabled in the Plone official Docker version 5.2.13 (5221), allowing unauthenticated attackers to execute dangerous actions such as uploading files to the server or deleting them.

CVE-2015-7293HigSep 25, 2017
Zope
Zope Management Interface
risk 0.60cvss 8.8epss 0.03
Multiple cross-site request forgery (CSRF) vulnerabilities in Zope Management Interface 4.3.7 and earlier, and Plone before 5.x.
CVE-2015-7318HigSep 25, 2017
Plone (software)
Plone
risk 0.49cvss 7.5epss 0.02
Plone 3.3.0 through 3.3.6 allows remote attackers to inject headers into HTTP responses.
CVE-2016-4041HigFeb 24, 2017
Plone (software)
Plone
risk 0.48cvss 7.3epss 0.01
Plone 4.0 through 5.1a1 does not have security declarations for Dexterity content-related WebDAV requests, which allows remote attackers to gain webdav access via unspecified vectors.
CVE-2015-7317MedSep 25, 2017
Kupu
Kupu
risk 0.44cvss 6.8epss 0.02
Kupu 3.3.0 through 3.3.6, 4.0.0 through 4.0.10, 4.1.0 through 4.1.6, and 4.2.0 through 4.2.7 allows remote authenticated users to edit Kupu settings.
CVE-2016-7140MedMar 7, 2017
Plone (software)
Plone
risk 0.40cvss 6.1epss 0.02
Multiple cross-site scripting (XSS) vulnerabilities in the ZMI page in Zope2 in Plone CMS 5.x through 5.0.6, 4.x through 4.3.11, and 3.3.x through 3.3.6 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2016-7139MedMar 7, 2017
Plone (software)
Plone
risk 0.40cvss 6.1epss 0.02
Cross-site scripting (XSS) vulnerability in an unspecified page template in Plone CMS 5.x through 5.0.6, 4.x through 4.3.11, and 3.3.x through 3.3.6 allows remote attackers to inject arbitrary web script or HTML via unknown vectors.
CVE-2016-7138MedMar 7, 2017
Plone (software)
Plone
risk 0.40cvss 6.1epss 0.02
Cross-site scripting (XSS) vulnerability in the URL checking infrastructure in Plone CMS 5.x through 5.0.6, 4.x through 4.3.11, and 3.3.x through 3.3.6 allows remote attackers to inject arbitrary web script or HTML via a crafted URL.
CVE-2016-7137MedMar 7, 2017
Plone (software)
Plone
risk 0.40cvss 6.1epss 0.02
Multiple open redirect vulnerabilities in Plone CMS 5.x through 5.0.6, 4.x through 4.3.11, and 3.3.x through 3.3.6 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the referer parameter to (1)…
CVE-2016-7136MedMar 7, 2017
Plone (software)
Plone
risk 0.40cvss 6.1epss 0.02
z3c.form in Plone CMS 5.x through 5.0.6 and 4.x through 4.3.11 allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted GET request.
CVE-2016-7147MedFeb 4, 2017
Plone (software)
Plone
risk 0.40cvss 6.1epss 0.01
Cross-site scripting (XSS) vulnerability in the manage_findResult component in the search feature in Zope ZMI in Plone before 4.3.12 and 5.x before 5.0.7 allows remote attackers to inject arbitrary web script or HTML via vectors involving double quotes, as demonstrated by the…
CVE-2016-4042MedFeb 24, 2017
Plone (software)
Plone
risk 0.35cvss 5.3epss 0.01
Plone 3.3 through 5.1a1 allows remote attackers to obtain information about the ID of sensitive content via unspecified vectors.
CVE-2015-7316MedSep 25, 2017
Plone (software)
Plone
risk 0.33cvss 6.1epss 0.01
Cross-site scripting (XSS) vulnerability in Plone 3.3.0 through 3.3.6, 4.0.0 through 4.0.10, 4.1.0 through 4.1.6, 4.2.0 through 4.2.7, 4.3.x before 4.3.7, and 5.0rc1.
CVE-2015-7315MedSep 25, 2017
Plone (software)
Plone
risk 0.32cvss 5.9epss 0.02
Plone 3.3.0 through 3.3.6, 4.0.0 through 4.0.10, 4.1.0 through 4.1.6, 4.2.0 through 4.2.7, 4.3.0 through 4.3.6, and 5.0rc1 allows remote attackers to add a new member to a Plone site with registration enabled, without acknowledgment of site administrator.
CVE-2016-7135MedMar 7, 2017
Plone (software)
Plone
risk 0.32cvss 4.9epss 0.03
Directory traversal vulnerability in Plone CMS 5.x through 5.0.6 and 4.2.x through 4.3.11 allows remote administrators to read arbitrary files via a .. (dot dot) in the path parameter in a getFile action to Plone/++theme++barceloneta/@@plone.resourceeditor.filemanager-actions.
CVE-2016-4043MedFeb 24, 2017
Plone (software)
Plone
risk 0.32cvss 4.9epss 0.01
Chameleon (five.pt) in Plone 5.0rc1 through 5.1a1 allows remote authenticated users to bypass Restricted Python by leveraging permissions to create or edit templates.
CVE-2017-5524MedMar 23, 2017
Plone (software)
Plone
risk 0.21cvss 4.3epss 0.01
Plone 4.x through 4.3.11 and 5.x through 5.0.6 allow remote attackers to bypass a sandbox protection mechanism and obtain sensitive information by leveraging the Python string format method.
CVE-2013-4200Jan 21, 2014
Plone (software)
Plone
risk 0.03cvss —epss 0.02
The isURLInPortal method in the URLTool class in in_portal.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 treats URLs starting with a space as a relative URL, which allows remote attackers to bypass the allow_external_login_sites filtering property, …
CVE-2006-1711Apr 11, 2006
Plone (software)
Plone
risk 0.03cvss —epss 0.04
Plone 2.0.5, 2.1.2, and 2.5-beta1 does not restrict access to the (1) changeMemberPortrait, (2) deletePersonalPortrait, and (3) testCurrentPassword methods, which allows remote attackers to modify portraits.
CVE-2011-3587Oct 10, 2011
Zope
Zope
risk 0.02cvss —epss 0.79
Unspecified vulnerability in Zope 2.12.x and 2.13.x, as used in Plone 4.0.x through 4.0.9, 4.1, and 4.2 through 4.2a2, allows remote attackers to execute arbitrary commands via vectors related to the p_ class in OFS/misc_.py and the use of Python modules.
CVE-2024-23756Feb 8, 2024
Plone (software)
Plone
risk 0.00cvss —epss 0.01
The HTTP PUT and DELETE methods are enabled in the Plone official Docker version 5.2.13 (5221), allowing unauthenticated attackers to execute dangerous actions such as uploading files to the server or deleting them.

Page 1 of 4