EUVD-2014-0065

Malware in sbrugna...

Plone Cross-site scripting Vulnerability

Cross-site scripting XSS vulnerability in pythonscripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, related to "u,translate."...

Plone allows remote attackers to read hidden folder contents

ftp.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to read hidden folder contents via unspecified vectors...

PYSEC-2014-44

Cross-site scripting XSS vulnerability in safehtml.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote authenticated users with permissions to edit content to inject arbitrary web script or HTML via unspecified vectors...

Code injection

membershiptool.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to enumerate user account names via a crafted URL...

Cross site request forgery (csrf)

atat.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to read private data structures via a request for a view without a name...

PYSEC-2014-45

ftp.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to read hidden folder contents via unspecified vectors...

PYSEC-2014-33

z3c.form, as used in Plone before 4.2.3 and 4.3 before beta 1, allows remote attackers to obtain the default form field values by leveraging knowledge of the form location and the element id...

PYSEC-2014-47

atat.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to read private data structures via a request for a view without a name...

CVE-2012-5486

CVE-2012-5486 - HP: ZPublisher.HTTPRequest._scrubHeader in Zope 2 before 2.13.19 (used in Plone before 4.3 beta 1) allows remote attackers to inject arbitrary HTTP headers via a linefeed (LF) character. Affected components: Zope 2 series up to 2.13.18; Plone deployments including the Plone before...