Total
104 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2012-5506 | 1 Plone | 1 Plone | 2023-12-10 | 5.0 MEDIUM | N/A |
python_scripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to cause a denial of service (infinite loop) via an RSS feed request for a folder the user does not have permission to access. | |||||
CVE-2012-5485 | 1 Plone | 1 Plone | 2023-12-10 | 6.8 MEDIUM | N/A |
registerConfiglet.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via unspecified vectors, related to the admin interface. | |||||
CVE-2013-4194 | 1 Plone | 1 Plone | 2023-12-10 | 4.3 MEDIUM | N/A |
The WYSIWYG component (wysiwyg.py) in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 allows remote attackers to obtain sensitive information via a crafted URL, which reveals the installation path in an error message. | |||||
CVE-2012-5502 | 1 Plone | 1 Plone | 2023-12-10 | 3.5 LOW | N/A |
Cross-site scripting (XSS) vulnerability in safe_html.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote authenticated users with permissions to edit content to inject arbitrary web script or HTML via unspecified vectors. | |||||
CVE-2012-5498 | 1 Plone | 1 Plone | 2023-12-10 | 5.0 MEDIUM | N/A |
queryCatalog.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to bypass caching and cause a denial of service via a crafted request to a collection. | |||||
CVE-2013-4191 | 1 Plone | 1 Plone | 2023-12-10 | 5.8 MEDIUM | N/A |
zip.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 does not properly enforce access restrictions when including content in a zip archive, which allows remote attackers to obtain sensitive information by reading a generated archive. | |||||
CVE-2013-7060 | 1 Plone | 1 Plone | 2023-12-10 | 5.0 MEDIUM | N/A |
Products/CMFPlone/FactoryTool.py in Plone 3.3 through 4.3.2 allows remote attackers to obtain the installation path via vectors related to a file object for unspecified documentation which is initialized in class scope. | |||||
CVE-2012-5492 | 1 Plone | 1 Plone | 2023-12-10 | 5.0 MEDIUM | N/A |
uid_catalog.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to obtain metadata about hidden objects via a crafted URL. | |||||
CVE-2012-5504 | 1 Plone | 1 Plone | 2023-12-10 | 4.3 MEDIUM | N/A |
Cross-site scripting (XSS) vulnerability in widget_traversal.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
CVE-2012-5491 | 1 Plone | 1 Plone | 2023-12-10 | 4.3 MEDIUM | N/A |
z3c.form, as used in Plone before 4.2.3 and 4.3 before beta 1, allows remote attackers to obtain the default form field values by leveraging knowledge of the form location and the element id. | |||||
CVE-2013-4196 | 1 Plone | 1 Plone | 2023-12-10 | 5.0 MEDIUM | N/A |
The object manager implementation (objectmanager.py) in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 does not properly restrict access to internal methods, which allows remote attackers to obtain sensitive information via a crafted request. | |||||
CVE-2012-5496 | 1 Plone | 1 Plone | 2023-12-10 | 5.0 MEDIUM | N/A |
kupu_spellcheck.py in Kupu in Plone before 4.0 allows remote attackers to cause a denial of service (ZServer thread lock) via a crafted URL. | |||||
CVE-2012-5495 | 1 Plone | 1 Plone | 2023-12-10 | 5.0 MEDIUM | N/A |
python_scripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via a crafted URL, related to "go_back." | |||||
CVE-2012-5505 | 1 Plone | 1 Plone | 2023-12-10 | 5.0 MEDIUM | N/A |
atat.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to read private data structures via a request for a view without a name. | |||||
CVE-2013-4188 | 1 Plone | 1 Plone | 2023-12-10 | 4.3 MEDIUM | N/A |
traverser.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 allows remote attackers with administrator privileges to cause a denial of service (infinite loop and resource consumption) via unspecified vectors related to "retrieving information for certain resources." | |||||
CVE-2012-5489 | 2 Plone, Zope | 2 Plone, Zope | 2023-12-10 | 6.5 MEDIUM | N/A |
The App.Undo.UndoSupport.get_request_var_or_attr function in Zope before 2.12.21 and 3.13.x before 2.13.11, as used in Plone before 4.2.3 and 4.3 before beta 1, allows remote authenticated users to gain access to restricted attributes via unspecified vectors. | |||||
CVE-2012-5494 | 1 Plone | 1 Plone | 2023-12-10 | 4.3 MEDIUM | N/A |
Cross-site scripting (XSS) vulnerability in python_scripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, related to "{u,}translate." | |||||
CVE-2012-5508 | 1 Plone | 1 Plone | 2023-12-10 | 5.0 MEDIUM | N/A |
The error pages in Plone before 4.2.3 and 4.3 before beta 1 allow remote attackers to obtain random numbers and derive the PRNG state for password resets via unspecified vectors. NOTE: this identifier was SPLIT per ADT2 due to different vulnerability types. CVE-2012-6661 was assigned for the PRNG reseeding issue in Zope. | |||||
CVE-2012-5493 | 1 Plone | 1 Plone | 2023-12-10 | 8.5 HIGH | N/A |
gtbn.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote authenticated users with certain permissions to bypass the Python sandbox and execute arbitrary Python code via unspecified vectors. | |||||
CVE-2013-4192 | 1 Plone | 1 Plone | 2023-12-10 | 4.0 MEDIUM | N/A |
sendto.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 allows remote authenticated users to spoof emails via unspecified vectors. |