Lucene search

K
PlonePlone

103 matches found

CVE
CVE
added 2022/01/28 10:15 p.m.140 views

CVE-2022-23599

Products.ATContentTypes are the core content types for Plone 2.1 - 4.3. Versions of Plone that are dependent on Products.ATContentTypes prior to version 3.0.6 are vulnerable to reflected cross site scripting and open redirect when an attacker can get a compromised version of the image_view_fullscre...

6.1CVSS5AI score0.00232EPSS
CVE
CVE
added 2011/07/19 8:55 p.m.116 views

CVE-2011-2528

Unspecified vulnerability in (1) Zope 2.12.x before 2.12.19 and 2.13.x before 2.13.8, as used in Plone 4.x and other products, and (2) PloneHotfix20110720 for Plone 3.x allows attackers to gain privileges via unspecified vectors, related to a "highly serious vulnerability." NOTE: this vulnerability...

7.5CVSS6.6AI score0.01407EPSS
CVE
CVE
added 2021/05/21 10:15 p.m.105 views

CVE-2021-33513

Plone through 5.2.4 allows XSS via the inline_diff methods in Products.CMFDiffTool.

5.4CVSS5.4AI score0.00302EPSS
CVE
CVE
added 2011/02/03 5:0 p.m.102 views

CVE-2011-0720

Unspecified vulnerability in Plone 2.5 through 4.0, as used in Conga, luci, and possibly other products, allows remote attackers to obtain administrative access, read or create arbitrary content, and change the site skin via unknown vectors.

7.5CVSS6.4AI score0.01407EPSS
CVE
CVE
added 2021/05/21 10:15 p.m.101 views

CVE-2021-33508

Plone through 5.2.4 allows XSS via a full name that is mishandled during rendering of the ownership tab of a content item.

5.4CVSS5.4AI score0.00272EPSS
CVE
CVE
added 2021/05/21 10:15 p.m.101 views

CVE-2021-33510

Plone through 5.2.4 allows remote authenticated managers to conduct SSRF attacks via an event ical URL, to read one line of a file.

4.3CVSS4.5AI score0.00123EPSS
CVE
CVE
added 2021/05/21 10:15 p.m.100 views

CVE-2021-33512

Plone through 5.2.4 allows stored XSS attacks (by a Contributor) by uploading an SVG or HTML document.

5.4CVSS5.3AI score0.00302EPSS
CVE
CVE
added 2021/05/21 10:15 p.m.99 views

CVE-2021-33507

Zope Products.CMFCore before 2.5.1 and Products.PluggableAuthService before 2.6.2, as used in Plone through 5.2.4 and other products, allow Reflected XSS.

6.1CVSS6.4AI score0.00285EPSS
CVE
CVE
added 2021/05/21 10:15 p.m.99 views

CVE-2021-33509

Plone through 5.2.4 allows remote authenticated managers to perform disk I/O via crafted keyword arguments to the ReStructuredText transform in a Python script.

9.9CVSS8.9AI score0.0098EPSS
CVE
CVE
added 2021/05/21 10:15 p.m.98 views

CVE-2021-33511

Plone though 5.2.4 allows SSRF via the lxml parser. This affects Diazo themes, Dexterity TTW schemas, and modeleditors in plone.app.theming, plone.app.dexterity, and plone.supermodel.

7.5CVSS7.5AI score0.00276EPSS
CVE
CVE
added 2020/01/23 9:15 p.m.94 views

CVE-2020-7941

A privilege escalation issue in plone.app.contenttypes in Plone 4.3 through 5.2.1 allows users to PUT (overwrite) some content without needing write permission.

9.8CVSS9.4AI score0.00619EPSS
CVE
CVE
added 2021/06/30 1:15 a.m.84 views

CVE-2021-35959

In Plone 5.0 through 5.2.4, Editors are vulnerable to XSS in the folder contents view, if a Contributor has created a folder with a SCRIPT tag in the description field.

5.4CVSS5.1AI score0.00302EPSS
CVE
CVE
added 2020/01/23 9:15 p.m.81 views

CVE-2020-7937

An XSS issue in the title field in Plone 5.0 through 5.2.1 allows users with a certain privilege level to insert JavaScript that will be executed when other users access the site.

5.4CVSS5.1AI score0.00504EPSS
CVE
CVE
added 2020/01/23 9:15 p.m.80 views

CVE-2020-7938

plone.restapi in Plone 5.2.0 through 5.2.1 allows users with a certain privilege level to escalate their privileges up to the highest level.

8.8CVSS8.6AI score0.00628EPSS
CVE
CVE
added 2011/10/10 10:55 a.m.79 views

CVE-2011-3587

Unspecified vulnerability in Zope 2.12.x and 2.13.x, as used in Plone 4.0.x through 4.0.9, 4.1, and 4.2 through 4.2a2, allows remote attackers to execute arbitrary commands via vectors related to the p_ class in OFS/misc_.py and the use of Python modules.

9.3CVSS7.4AI score0.90592EPSS
CVE
CVE
added 2018/01/03 8:29 p.m.78 views

CVE-2017-1000484

By linking to a specific url in Plone 2.5-5.1rc1 with a parameter, an attacker could send you to his own website. On its own this is not so bad: the attacker could more easily link directly to his own website instead. But in combination with another attack, you could be sent to the Plone login form...

6.1CVSS6AI score0.00197EPSS
CVE
CVE
added 2020/01/23 9:15 p.m.78 views

CVE-2020-7940

Missing password strength checks on some forms in Plone 4.3 through 5.2.0 allow users to set weak passwords, leading to easier cracking.

7.5CVSS7.3AI score0.0034EPSS
CVE
CVE
added 2020/12/30 7:15 p.m.77 views

CVE-2020-28734

Plone before 5.2.3 allows XXE attacks via a feature that is explicitly only available to the Manager role.

8.8CVSS8.4AI score0.00484EPSS
CVE
CVE
added 2011/12/30 1:55 a.m.76 views

CVE-2011-4462

Plone 4.1.3 and earlier computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters.

5CVSS6.6AI score0.00893EPSS
CVE
CVE
added 2011/06/06 7:55 p.m.75 views

CVE-2011-1949

Cross-site scripting (XSS) vulnerability in the safe_html filter in Products.PortalTransforms in Plone 2.1 through 4.1 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2010-2422.

3.5CVSS5.2AI score0.00474EPSS
CVE
CVE
added 2014/09/30 2:55 p.m.71 views

CVE-2012-5507

AccessControl/AuthEncoding.py in Zope before 2.13.19, as used in Plone before 4.2.3 and 4.3 before beta 1, allows remote attackers to obtain passwords via vectors involving timing discrepancies in password validation.

4.3CVSS6.7AI score0.00276EPSS
CVE
CVE
added 2020/01/02 7:15 p.m.71 views

CVE-2013-7062

Multiple cross-site scripting (XSS) vulnerabilities in Zope, as used in Plone 3.3.x through 3.3.6, 4.0.x through 4.0.9, 4.1.x through 4.1.6, 4.2.x through 4.2.7, and 4.3 through 4.3.2, allow remote attackers to inject arbitrary web script or HTML via unspecified input in the (1) browser_id_manager ...

6.1CVSS6AI score0.00763EPSS
CVE
CVE
added 2020/12/30 7:15 p.m.71 views

CVE-2020-28735

Plone before 5.2.3 allows SSRF attacks via the tracebacks feature (only available to the Manager role).

8.8CVSS8.5AI score0.00484EPSS
CVE
CVE
added 2010/06/24 12:17 p.m.70 views

CVE-2010-2422

Cross-site scripting (XSS) vulnerability in PortalTransforms in Plone 2.1 through 3.3.4 before hotfix 20100612 allows remote attackers to inject arbitrary web script or HTML via the safe_html transform.

4.3CVSS5.6AI score0.00474EPSS
CVE
CVE
added 2020/01/23 9:15 p.m.70 views

CVE-2020-7936

An open redirect on the login form (and possibly other places) in Plone 4.0 through 5.2.1 allows an attacker to craft a link to a Plone Site that, when followed, and possibly after login, will redirect to an attacker's site.

6.1CVSS6AI score0.0034EPSS
CVE
CVE
added 2011/06/06 7:55 p.m.69 views

CVE-2011-1948

Cross-site scripting (XSS) vulnerability in Plone 4.1 and earlier allows remote attackers to inject arbitrary web script or HTML via a crafted URL.

4.3CVSS5.8AI score0.00526EPSS
CVE
CVE
added 2014/09/30 2:55 p.m.69 views

CVE-2012-5486

ZPublisher.HTTPRequest._scrubHeader in Zope 2 before 2.13.19, as used in Plone before 4.3 beta 1, allows remote attackers to inject arbitrary HTTP headers via a linefeed (LF) character.

6.4CVSS6.4AI score0.00821EPSS
CVE
CVE
added 2014/11/03 10:55 p.m.69 views

CVE-2012-6661

Zope before 2.13.19, as used in Plone before 4.2.3 and 4.3 before beta 1, does not reseed the pseudo-random number generator (PRNG), which makes it easier for remote attackers to guess the value via unspecified vectors. NOTE: this issue was SPLIT from CVE-2012-5508 due to different vulnerability ty...

5CVSS6.4AI score0.00403EPSS
CVE
CVE
added 2020/12/30 7:15 p.m.69 views

CVE-2020-28736

Plone before 5.2.3 allows XXE attacks via a feature that is protected by an unapplied permission of plone.schemaeditor.ManageSchemata (therefore, only available to the Manager role).

8.8CVSS8.4AI score0.00484EPSS
CVE
CVE
added 2021/05/21 2:15 p.m.68 views

CVE-2021-32633

Zope is an open-source web application server. In Zope versions prior to 4.6 and 5.2, users can access untrusted modules indirectly through Python modules that are available for direct use. By default, only users with the Manager role can add or edit Zope Page Templates through the web, but sites t...

8.8CVSS7.4AI score0.00943EPSS
CVE
CVE
added 2014/09/30 2:55 p.m.67 views

CVE-2012-5497

membership_tool.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to enumerate user account names via a crafted URL.

5CVSS6.2AI score0.00435EPSS
CVE
CVE
added 2020/01/23 9:15 p.m.67 views

CVE-2020-7939

SQL Injection in DTML or in connection objects in Plone 4.0 through 5.2.1 allows users to perform unwanted SQL queries. (This is a problem in Zope.)

8.8CVSS8.9AI score0.00509EPSS
CVE
CVE
added 2014/11/03 10:55 p.m.65 views

CVE-2012-5508

The error pages in Plone before 4.2.3 and 4.3 before beta 1 allow remote attackers to obtain random numbers and derive the PRNG state for password resets via unspecified vectors. NOTE: this identifier was SPLIT per ADT2 due to different vulnerability types. CVE-2012-6661 was assigned for the PRNG r...

5CVSS6.5AI score0.00403EPSS
CVE
CVE
added 2017/03/23 4:59 p.m.65 views

CVE-2017-5524

Plone 4.x through 4.3.11 and 5.x through 5.0.6 allow remote attackers to bypass a sandbox protection mechanism and obtain sensitive information by leveraging the Python string format method.

4.3CVSS4.8AI score0.00185EPSS
CVE
CVE
added 2014/09/30 2:55 p.m.63 views

CVE-2012-5489

The App.Undo.UndoSupport.get_request_var_or_attr function in Zope before 2.12.21 and 3.13.x before 2.13.11, as used in Plone before 4.2.3 and 4.3 before beta 1, allows remote authenticated users to gain access to restricted attributes via unspecified vectors.

6.5CVSS6.5AI score0.00575EPSS
CVE
CVE
added 2021/03/08 9:15 p.m.63 views

CVE-2021-21336

Products.PluggableAuthService is a pluggable Zope authentication and authorization framework. In Products.PluggableAuthService before version 2.6.0 there is an information disclosure vulnerability - everyone can list the names of roles defined in the ZODB Role Manager plugin if the site uses this p...

6.5CVSS6.3AI score0.00324EPSS
CVE
CVE
added 2011/06/06 7:55 p.m.62 views

CVE-2011-1950

plone.app.users in Plone 4.0 and 4.1 allows remote authenticated users to modify the properties of arbitrary accounts via unspecified vectors, as exploited in the wild in June 2011.

5.5CVSS6.5AI score0.00864EPSS
CVE
CVE
added 2014/09/30 2:55 p.m.60 views

CVE-2012-5485

registerConfiglet.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via unspecified vectors, related to the admin interface.

6.8CVSS7AI score0.00599EPSS
CVE
CVE
added 2014/09/30 2:55 p.m.60 views

CVE-2012-5503

ftp.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to read hidden folder contents via unspecified vectors.

5CVSS6.5AI score0.00319EPSS
CVE
CVE
added 2014/09/30 2:55 p.m.57 views

CVE-2012-5488

python_scripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via a crafted URL, related to createObject.

5CVSS6.8AI score0.0064EPSS
CVE
CVE
added 2014/09/30 2:55 p.m.57 views

CVE-2012-5499

python_scripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to cause a denial of service (memory consumption) via a large value, related to formatColumns.

5CVSS6.3AI score0.00887EPSS
CVE
CVE
added 2014/11/03 10:55 p.m.57 views

CVE-2012-5500

The batch id change script (renameObjectsByPaths.py) in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to change the titles of content items by leveraging a valid CSRF token in a crafted request.

4.3CVSS6.3AI score0.00343EPSS
CVE
CVE
added 2017/03/07 4:59 p.m.54 views

CVE-2016-7137

Multiple open redirect vulnerabilities in Plone CMS 5.x through 5.0.6, 4.x through 4.3.11, and 3.3.x through 3.3.6 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the referer parameter to (1) %2b%2bgroupdashboard%2b%2bplone.dashboard1%2bgrou...

6.1CVSS6.3AI score0.00477EPSS
CVE
CVE
added 2017/03/07 4:59 p.m.52 views

CVE-2016-7135

Directory traversal vulnerability in Plone CMS 5.x through 5.0.6 and 4.2.x through 4.3.11 allows remote administrators to read arbitrary files via a .. (dot dot) in the path parameter in a getFile action to Plone/++theme++barceloneta/@@plone.resourceeditor.filemanager-actions.

4.9CVSS5.2AI score0.007EPSS
CVE
CVE
added 2006/04/11 6:6 p.m.51 views

CVE-2006-1711

Plone 2.0.5, 2.1.2, and 2.5-beta1 does not restrict access to the (1) changeMemberPortrait, (2) deletePersonalPortrait, and (3) testCurrentPassword methods, which allows remote attackers to modify portraits.

5CVSS6.3AI score0.11107EPSS
CVE
CVE
added 2011/10/10 10:55 a.m.51 views

CVE-2011-4030

The CMFEditions component 2.x in Plone 4.0.x through 4.0.9, 4.1, and 4.2 through 4.2a2 does not prevent the KwAsAttributes classes from being publishable, which allows remote attackers to access sub-objects via unspecified vectors, a different vulnerability than CVE-2011-3587.

9.3CVSS6.5AI score0.90592EPSS
CVE
CVE
added 2014/01/21 4:6 p.m.51 views

CVE-2013-4200

The isURLInPortal method in the URLTool class in in_portal.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 treats URLs starting with a space as a relative URL, which allows remote attackers to bypass the allow_external_login_sites filtering property, redirect users to arbi...

5.8CVSS6.7AI score0.05684EPSS
CVE
CVE
added 2018/01/03 6:29 p.m.51 views

CVE-2017-1000483

Accessing private content via str.format in through-the-web templates and scripts in Plone 2.5-5.1rc1. This improves an earlier hotfix. Since the format method was introduced in Python 2.6, this part of the hotfix is only relevant for Plone 4 and 5.

6.5CVSS6.3AI score0.00294EPSS
CVE
CVE
added 2023/02/17 6:15 p.m.51 views

CVE-2021-33926

An issue in Plone CMS v. 5.2.4, 5.2.3, 5.2.2, 5.2.1, 5.2.0, 5.1rc2, 5.1rc1, 5.1b4, 5.1b3, 5.1b2, 5.1a2, 5.1a1, 5.1.7, 5.1.6, 5.1.5, 5.1.4, 5.1.2, 5.1.1 5.1, 5.0rc3, 5.0rc2, 5.0rc1, 5.0.9, 5.0.8, 5.0.7, 5.0.6, 5.0.5, 5.0.4, 5.0.3, 5.0.2, 5.0.10, 5.0.1, 5.0, 4.3.9, 4.3.8, 4.3.7, 4.3.6, 4.3.5, 4.3.4, ...

8.8CVSS8.3AI score0.0021EPSS
CVE
CVE
added 2017/03/07 4:59 p.m.50 views

CVE-2016-7136

z3c.form in Plone CMS 5.x through 5.0.6 and 4.x through 4.3.11 allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted GET request.

6.1CVSS5.8AI score0.00498EPSS
Total number of security vulnerabilities103