Filtered by vendor Plone
Subscribe
Total
114 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2013-4200 | 1 Plone | 1 Plone | 2023-12-10 | 5.8 MEDIUM | N/A |
The isURLInPortal method in the URLTool class in in_portal.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 treats URLs starting with a space as a relative URL, which allows remote attackers to bypass the allow_external_login_sites filtering property, redirect users to arbitrary web sites, and conduct phishing attacks via a space before a URL in the "next" parameter to acl_users/credentials_cookie_auth/require_login. | |||||
CVE-2012-5490 | 1 Plone | 1 Plone | 2023-12-10 | 4.3 MEDIUM | N/A |
Cross-site scripting (XSS) vulnerability in kssdevel.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
CVE-2013-4195 | 1 Plone | 1 Plone | 2023-12-10 | 5.8 MEDIUM | N/A |
Multiple open redirect vulnerabilities in (1) marmoset_patch.py, (2) publish.py, and (3) principiaredirect.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors. | |||||
CVE-2012-5488 | 1 Plone | 1 Plone | 2023-12-10 | 5.0 MEDIUM | N/A |
python_scripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via a crafted URL, related to createObject. | |||||
CVE-2012-5503 | 1 Plone | 1 Plone | 2023-12-10 | 5.0 MEDIUM | N/A |
ftp.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to read hidden folder contents via unspecified vectors. | |||||
CVE-2012-5506 | 1 Plone | 1 Plone | 2023-12-10 | 5.0 MEDIUM | N/A |
python_scripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to cause a denial of service (infinite loop) via an RSS feed request for a folder the user does not have permission to access. | |||||
CVE-2012-5485 | 1 Plone | 1 Plone | 2023-12-10 | 6.8 MEDIUM | N/A |
registerConfiglet.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via unspecified vectors, related to the admin interface. | |||||
CVE-2013-4194 | 1 Plone | 1 Plone | 2023-12-10 | 4.3 MEDIUM | N/A |
The WYSIWYG component (wysiwyg.py) in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 allows remote attackers to obtain sensitive information via a crafted URL, which reveals the installation path in an error message. | |||||
CVE-2012-5502 | 1 Plone | 1 Plone | 2023-12-10 | 3.5 LOW | N/A |
Cross-site scripting (XSS) vulnerability in safe_html.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote authenticated users with permissions to edit content to inject arbitrary web script or HTML via unspecified vectors. | |||||
CVE-2012-5498 | 1 Plone | 1 Plone | 2023-12-10 | 5.0 MEDIUM | N/A |
queryCatalog.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to bypass caching and cause a denial of service via a crafted request to a collection. | |||||
CVE-2013-4191 | 1 Plone | 1 Plone | 2023-12-10 | 5.8 MEDIUM | N/A |
zip.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 does not properly enforce access restrictions when including content in a zip archive, which allows remote attackers to obtain sensitive information by reading a generated archive. | |||||
CVE-2013-7060 | 1 Plone | 1 Plone | 2023-12-10 | 5.0 MEDIUM | N/A |
Products/CMFPlone/FactoryTool.py in Plone 3.3 through 4.3.2 allows remote attackers to obtain the installation path via vectors related to a file object for unspecified documentation which is initialized in class scope. | |||||
CVE-2012-5492 | 1 Plone | 1 Plone | 2023-12-10 | 5.0 MEDIUM | N/A |
uid_catalog.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to obtain metadata about hidden objects via a crafted URL. | |||||
CVE-2012-5504 | 1 Plone | 1 Plone | 2023-12-10 | 4.3 MEDIUM | N/A |
Cross-site scripting (XSS) vulnerability in widget_traversal.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
CVE-2012-5491 | 1 Plone | 1 Plone | 2023-12-10 | 4.3 MEDIUM | N/A |
z3c.form, as used in Plone before 4.2.3 and 4.3 before beta 1, allows remote attackers to obtain the default form field values by leveraging knowledge of the form location and the element id. | |||||
CVE-2013-4196 | 1 Plone | 1 Plone | 2023-12-10 | 5.0 MEDIUM | N/A |
The object manager implementation (objectmanager.py) in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 does not properly restrict access to internal methods, which allows remote attackers to obtain sensitive information via a crafted request. | |||||
CVE-2012-5496 | 1 Plone | 1 Plone | 2023-12-10 | 5.0 MEDIUM | N/A |
kupu_spellcheck.py in Kupu in Plone before 4.0 allows remote attackers to cause a denial of service (ZServer thread lock) via a crafted URL. | |||||
CVE-2012-5495 | 1 Plone | 1 Plone | 2023-12-10 | 5.0 MEDIUM | N/A |
python_scripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via a crafted URL, related to "go_back." | |||||
CVE-2012-5505 | 1 Plone | 1 Plone | 2023-12-10 | 5.0 MEDIUM | N/A |
atat.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to read private data structures via a request for a view without a name. | |||||
CVE-2013-4188 | 1 Plone | 1 Plone | 2023-12-10 | 4.3 MEDIUM | N/A |
traverser.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 allows remote attackers with administrator privileges to cause a denial of service (infinite loop and resource consumption) via unspecified vectors related to "retrieving information for certain resources." |