4 matches found
Code injection
membershiptool.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to enumerate user account names via a crafted URL...
Cross site request forgery (csrf)
atat.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to read private data structures via a request for a view without a name...
PYSEC-2014-47
atat.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to read private data structures via a request for a view without a name...
CVE-2012-5486
CVE-2012-5486 - HP: ZPublisher.HTTPRequest._scrubHeader in Zope 2 before 2.13.19 (used in Plone before 4.3 beta 1) allows remote attackers to inject arbitrary HTTP headers via a linefeed (LF) character. Affected components: Zope 2 series up to 2.13.18; Plone deployments including the Plone before...