EUVD-2014-0067

Malware in sbrugna...

GHSA-PWGM-JVQV-6V8P Plone anonymous access to sub-objects in CMFEditions where KwAsAttributes classes were publishable

The CMFEditions component 2.x in Plone 4.0.x through 4.0.9, 4.1, and 4.2 through 4.2a2 does not prevent the KwAsAttributes classes from being publishable, which allows remote attackers to access sub-objects via unspecified vectors, a different vulnerability than CVE-2011-3587...

GHSA-QJXF-6PR8-J87V Plone's authenticated users able to alter their password despite of policy definition

mailpassword.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 allows remote authenticated users to bypass the prohibition on password changes via the forgotten password email functionality...

CVE-2021-33509

Plone through 5.2.4 allows remote authenticated managers to perform disk I/O via crafted keyword arguments to the ReStructuredText transform in a Python script...

PYSEC-2017-53

Cross-site scripting XSS vulnerability in Plone 3.3.0 through 3.3.6, 4.0.0 through 4.0.10, 4.1.0 through 4.1.6, 4.2.0 through 4.2.7, 4.3.x before 4.3.7, and 5.0rc1...

PYSEC-2014-30

pythonscripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via a crafted URL, related to createObject...

CVE-2006-1711

Plone 2.0.5, 2.1.2, and 2.5-beta1 does not restrict access to the 1 changeMemberPortrait, 2 deletePersonalPortrait, and 3 testCurrentPassword methods, which allows remote attackers to modify portraits...