Plone@4.2.1.1 Security Vulnerabilities and Issues — Plone@4.2.1.1 CVE List

Lucene search

PlonePlone4.2.1.1

21 matches found

CVE•added 2014/09/30 2:55 p.m.•73 views

CVE-2012-5486

ZPublisher.HTTPRequest._scrubHeader in Zope 2 before 2.13.19, as used in Plone before 4.3 beta 1, allows remote attackers to inject arbitrary HTTP headers via a linefeed (LF) character.

6.4CVSS6.4AI score0.00821EPSS

CVE•added 2014/09/30 2:55 p.m.•72 views

CVE-2012-5507

AccessControl/AuthEncoding.py in Zope before 2.13.19, as used in Plone before 4.2.3 and 4.3 before beta 1, allows remote attackers to obtain passwords via vectors involving timing discrepancies in password validation.

4.3CVSS6.7AI score0.00276EPSS

CVE•added 2014/09/30 2:55 p.m.•71 views

CVE-2012-5497

membership_tool.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to enumerate user account names via a crafted URL.

5CVSS6.2AI score0.00435EPSS

CVE•added 2014/09/30 2:55 p.m.•64 views

CVE-2012-5485

registerConfiglet.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via unspecified vectors, related to the admin interface.

6.8CVSS7AI score0.00599EPSS

CVE•added 2014/09/30 2:55 p.m.•64 views

CVE-2012-5489

The App.Undo.UndoSupport.get_request_var_or_attr function in Zope before 2.12.21 and 3.13.x before 2.13.11, as used in Plone before 4.2.3 and 4.3 before beta 1, allows remote authenticated users to gain access to restricted attributes via unspecified vectors.

6.5CVSS6.5AI score0.00575EPSS

CVE•added 2014/09/30 2:55 p.m.•62 views

CVE-2012-5488

python_scripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via a crafted URL, related to createObject.

5CVSS6.8AI score0.0064EPSS

CVE•added 2014/09/30 2:55 p.m.•61 views

CVE-2012-5499

python_scripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to cause a denial of service (memory consumption) via a large value, related to formatColumns.

5CVSS6.3AI score0.00887EPSS

CVE•added 2014/09/30 2:55 p.m.•61 views

CVE-2012-5503

ftp.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to read hidden folder contents via unspecified vectors.

5CVSS6.5AI score0.00319EPSS

CVE•added 2014/09/30 2:55 p.m.•46 views

CVE-2012-5487

The sandbox whitelisting function (allowmodule.py) in Plone before 4.2.3 and 4.3 before beta 1 allows remote authenticated users with certain privileges to bypass the Python sandbox restriction and execute arbitrary Python code via vectors related to importing.

8.5CVSS7.2AI score0.00788EPSS

CVE•added 2014/09/30 2:55 p.m.•46 views

CVE-2012-5498

queryCatalog.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to bypass caching and cause a denial of service via a crafted request to a collection.

5CVSS6.3AI score0.01169EPSS

CVE•added 2014/09/30 2:55 p.m.•43 views

CVE-2012-5495

python_scripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via a crafted URL, related to "go_back."

5CVSS7.1AI score0.00638EPSS

CVE•added 2014/09/30 2:55 p.m.•42 views

CVE-2012-5492

uid_catalog.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to obtain metadata about hidden objects via a crafted URL.

5CVSS6.5AI score0.00319EPSS

CVE•added 2014/09/30 2:55 p.m.•42 views

CVE-2012-5505

atat.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to read private data structures via a request for a view without a name.

5CVSS6.6AI score0.00319EPSS

CVE•added 2014/09/30 2:55 p.m.•41 views

CVE-2012-5494

Cross-site scripting (XSS) vulnerability in python_scripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, related to "{u,}translate."

4.3CVSS5.8AI score0.00285EPSS

CVE•added 2014/09/30 2:55 p.m.•41 views

CVE-2012-5502

Cross-site scripting (XSS) vulnerability in safe_html.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote authenticated users with permissions to edit content to inject arbitrary web script or HTML via unspecified vectors.

3.5CVSS5.3AI score0.00152EPSS

CVE•added 2014/09/30 2:55 p.m.•39 views

CVE-2012-5504

Cross-site scripting (XSS) vulnerability in widget_traversal.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3CVSS5.7AI score0.00285EPSS

CVE•added 2014/09/30 2:55 p.m.•39 views

CVE-2012-5506

python_scripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to cause a denial of service (infinite loop) via an RSS feed request for a folder the user does not have permission to access.

5CVSS6.7AI score0.00603EPSS

CVE•added 2014/09/30 2:55 p.m.•38 views

CVE-2012-5491

z3c.form, as used in Plone before 4.2.3 and 4.3 before beta 1, allows remote attackers to obtain the default form field values by leveraging knowledge of the form location and the element id.

4.3CVSS6.6AI score0.00319EPSS

CVE•added 2014/09/30 2:55 p.m.•37 views

CVE-2012-5493

gtbn.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote authenticated users with certain permissions to bypass the Python sandbox and execute arbitrary Python code via unspecified vectors.

8.5CVSS7.2AI score0.00492EPSS

CVE•added 2014/09/30 2:55 p.m.•35 views

CVE-2012-5501

at_download.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to read arbitrary BLOBs (Files and Images) stored on custom content types via a crafted URL.

5CVSS6.4AI score0.00319EPSS

CVE•added 2014/09/30 2:55 p.m.•33 views

CVE-2012-5490

Cross-site scripting (XSS) vulnerability in kssdevel.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3CVSS5.7AI score0.00285EPSS