Total
103 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2013-4194 | 1 Plone | 1 Plone | 2024-02-04 | 4.3 MEDIUM | N/A |
The WYSIWYG component (wysiwyg.py) in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 allows remote attackers to obtain sensitive information via a crafted URL, which reveals the installation path in an error message. | |||||
CVE-2012-5492 | 1 Plone | 1 Plone | 2024-02-04 | 5.0 MEDIUM | N/A |
uid_catalog.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to obtain metadata about hidden objects via a crafted URL. | |||||
CVE-2012-5497 | 1 Plone | 1 Plone | 2024-02-04 | 5.0 MEDIUM | N/A |
membership_tool.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to enumerate user account names via a crafted URL. | |||||
CVE-2013-4196 | 1 Plone | 1 Plone | 2024-02-04 | 5.0 MEDIUM | N/A |
The object manager implementation (objectmanager.py) in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 does not properly restrict access to internal methods, which allows remote attackers to obtain sensitive information via a crafted request. | |||||
CVE-2012-5508 | 1 Plone | 1 Plone | 2024-02-04 | 5.0 MEDIUM | N/A |
The error pages in Plone before 4.2.3 and 4.3 before beta 1 allow remote attackers to obtain random numbers and derive the PRNG state for password resets via unspecified vectors. NOTE: this identifier was SPLIT per ADT2 due to different vulnerability types. CVE-2012-6661 was assigned for the PRNG reseeding issue in Zope. | |||||
CVE-2012-5501 | 1 Plone | 1 Plone | 2024-02-04 | 5.0 MEDIUM | N/A |
at_download.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to read arbitrary BLOBs (Files and Images) stored on custom content types via a crafted URL. | |||||
CVE-2013-4195 | 1 Plone | 1 Plone | 2024-02-04 | 5.8 MEDIUM | N/A |
Multiple open redirect vulnerabilities in (1) marmoset_patch.py, (2) publish.py, and (3) principiaredirect.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors. | |||||
CVE-2013-4190 | 1 Plone | 1 Plone | 2024-02-04 | 4.3 MEDIUM | N/A |
Multiple cross-site scripting (XSS) vulnerabilities in (1) spamProtect.py, (2) pts.py, and (3) request.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
CVE-2012-6661 | 2 Plone, Zope | 2 Plone, Zope | 2024-02-04 | 5.0 MEDIUM | N/A |
Zope before 2.13.19, as used in Plone before 4.2.3 and 4.3 before beta 1, does not reseed the pseudo-random number generator (PRNG), which makes it easier for remote attackers to guess the value via unspecified vectors. NOTE: this issue was SPLIT from CVE-2012-5508 due to different vulnerability types (ADT2). | |||||
CVE-2013-7061 | 1 Plone | 1 Plone | 2024-02-04 | 5.5 MEDIUM | N/A |
Products/CMFPlone/CatalogTool.py in Plone 3.3 through 4.3.2 allows remote administrators to bypass restrictions and obtain sensitive information via an unspecified search API. | |||||
CVE-2012-5500 | 1 Plone | 1 Plone | 2024-02-04 | 4.3 MEDIUM | N/A |
The batch id change script (renameObjectsByPaths.py) in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to change the titles of content items by leveraging a valid CSRF token in a crafted request. | |||||
CVE-2013-4197 | 1 Plone | 1 Plone | 2024-02-04 | 5.5 MEDIUM | N/A |
member_portrait.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 allows remote authenticated users to modify or delete portraits of other users via unspecified vectors. | |||||
CVE-2013-4198 | 1 Plone | 1 Plone | 2024-02-04 | 4.0 MEDIUM | N/A |
mail_password.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 allows remote authenticated users to bypass the prohibition on password changes via the forgotten password email functionality. | |||||
CVE-2012-5505 | 1 Plone | 1 Plone | 2024-02-04 | 5.0 MEDIUM | N/A |
atat.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to read private data structures via a request for a view without a name. | |||||
CVE-2013-4188 | 1 Plone | 1 Plone | 2024-02-04 | 4.3 MEDIUM | N/A |
traverser.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 allows remote attackers with administrator privileges to cause a denial of service (infinite loop and resource consumption) via unspecified vectors related to "retrieving information for certain resources." | |||||
CVE-2013-4192 | 1 Plone | 1 Plone | 2024-02-04 | 4.0 MEDIUM | N/A |
sendto.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 allows remote authenticated users to spoof emails via unspecified vectors. | |||||
CVE-2012-5506 | 1 Plone | 1 Plone | 2024-02-04 | 5.0 MEDIUM | N/A |
python_scripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to cause a denial of service (infinite loop) via an RSS feed request for a folder the user does not have permission to access. | |||||
CVE-2012-5488 | 1 Plone | 1 Plone | 2024-02-04 | 5.0 MEDIUM | N/A |
python_scripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via a crafted URL, related to createObject. | |||||
CVE-2012-5485 | 1 Plone | 1 Plone | 2024-02-04 | 6.8 MEDIUM | N/A |
registerConfiglet.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via unspecified vectors, related to the admin interface. | |||||
CVE-2012-5502 | 1 Plone | 1 Plone | 2024-02-04 | 3.5 LOW | N/A |
Cross-site scripting (XSS) vulnerability in safe_html.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote authenticated users with permissions to edit content to inject arbitrary web script or HTML via unspecified vectors. |