Plone@4.3.4 Security Vulnerabilities and Issues — Plone@4.3.4 CVE List

Lucene search

PlonePlone4.3.4

17 matches found

CVE•added 2018/01/03 8:29 p.m.•78 views

CVE-2017-1000484

By linking to a specific url in Plone 2.5-5.1rc1 with a parameter, an attacker could send you to his own website. On its own this is not so bad: the attacker could more easily link directly to his own website instead. But in combination with another attack, you could be sent to the Plone login form...

6.1CVSS6AI score0.00197EPSS

CVE•added 2017/03/23 4:59 p.m.•65 views

CVE-2017-5524

Plone 4.x through 4.3.11 and 5.x through 5.0.6 allow remote attackers to bypass a sandbox protection mechanism and obtain sensitive information by leveraging the Python string format method.

4.3CVSS4.8AI score0.00185EPSS

CVE•added 2017/03/07 4:59 p.m.•54 views

CVE-2016-7137

Multiple open redirect vulnerabilities in Plone CMS 5.x through 5.0.6, 4.x through 4.3.11, and 3.3.x through 3.3.6 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the referer parameter to (1) %2b%2bgroupdashboard%2b%2bplone.dashboard1%2bgrou...

6.1CVSS6.3AI score0.00477EPSS

CVE•added 2017/03/07 4:59 p.m.•52 views

CVE-2016-7135

Directory traversal vulnerability in Plone CMS 5.x through 5.0.6 and 4.2.x through 4.3.11 allows remote administrators to read arbitrary files via a .. (dot dot) in the path parameter in a getFile action to Plone/++theme++barceloneta/@@plone.resourceeditor.filemanager-actions.

4.9CVSS5.2AI score0.007EPSS

CVE•added 2018/01/03 6:29 p.m.•51 views

CVE-2017-1000483

Accessing private content via str.format in through-the-web templates and scripts in Plone 2.5-5.1rc1. This improves an earlier hotfix. Since the format method was introduced in Python 2.6, this part of the hotfix is only relevant for Plone 4 and 5.

6.5CVSS6.3AI score0.00294EPSS

CVE•added 2023/02/17 6:15 p.m.•51 views

CVE-2021-33926

An issue in Plone CMS v. 5.2.4, 5.2.3, 5.2.2, 5.2.1, 5.2.0, 5.1rc2, 5.1rc1, 5.1b4, 5.1b3, 5.1b2, 5.1a2, 5.1a1, 5.1.7, 5.1.6, 5.1.5, 5.1.4, 5.1.2, 5.1.1 5.1, 5.0rc3, 5.0rc2, 5.0rc1, 5.0.9, 5.0.8, 5.0.7, 5.0.6, 5.0.5, 5.0.4, 5.0.3, 5.0.2, 5.0.10, 5.0.1, 5.0, 4.3.9, 4.3.8, 4.3.7, 4.3.6, 4.3.5, 4.3.4, ...

8.8CVSS8.3AI score0.0021EPSS

CVE•added 2017/03/07 4:59 p.m.•50 views

CVE-2016-7136

z3c.form in Plone CMS 5.x through 5.0.6 and 4.x through 4.3.11 allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted GET request.

6.1CVSS5.8AI score0.00498EPSS

CVE•added 2017/03/07 4:59 p.m.•50 views

CVE-2016-7138

Cross-site scripting (XSS) vulnerability in the URL checking infrastructure in Plone CMS 5.x through 5.0.6, 4.x through 4.3.11, and 3.3.x through 3.3.6 allows remote attackers to inject arbitrary web script or HTML via a crafted URL.

6.1CVSS5.8AI score0.00491EPSS

CVE•added 2017/02/04 5:59 a.m.•49 views

CVE-2016-7147

Cross-site scripting (XSS) vulnerability in the manage_findResult component in the search feature in Zope ZMI in Plone before 4.3.12 and 5.x before 5.0.7 allows remote attackers to inject arbitrary web script or HTML via vectors involving double quotes, as demonstrated by the obj_ids:tokens paramet...

6.1CVSS5.9AI score0.00491EPSS

CVE•added 2018/01/03 6:29 p.m.•47 views

CVE-2017-1000481

When you visit a page where you need to login, Plone 2.5-5.1rc1 sends you to the login form with a 'came_from' parameter set to the previous url. After you login, you get redirected to the page you tried to view before. An attacker might try to abuse this by letting you click on a specially crafted...

6.1CVSS6AI score0.00197EPSS

CVE•added 2017/03/07 4:59 p.m.•44 views

CVE-2016-7140

Multiple cross-site scripting (XSS) vulnerabilities in the ZMI page in Zope2 in Plone CMS 5.x through 5.0.6, 4.x through 4.3.11, and 3.3.x through 3.3.6 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.

6.1CVSS5.9AI score0.00491EPSS

CVE•added 2017/09/25 5:29 p.m.•42 views

CVE-2015-7316

Cross-site scripting (XSS) vulnerability in Plone 3.3.0 through 3.3.6, 4.0.0 through 4.0.10, 4.1.0 through 4.1.6, 4.2.0 through 4.2.7, 4.3.x before 4.3.7, and 5.0rc1.

6.1CVSS6.1AI score0.0051EPSS

CVE•added 2017/09/25 5:29 p.m.•41 views

CVE-2015-7315

Plone 3.3.0 through 3.3.6, 4.0.0 through 4.0.10, 4.1.0 through 4.1.6, 4.2.0 through 4.2.7, 4.3.0 through 4.3.6, and 5.0rc1 allows remote attackers to add a new member to a Plone site with registration enabled, without acknowledgment of site administrator.

5.9CVSS5.7AI score0.00436EPSS

CVE•added 2017/02/24 8:59 p.m.•41 views

CVE-2016-4042

Plone 3.3 through 5.1a1 allows remote attackers to obtain information about the ID of sensitive content via unspecified vectors.

5.3CVSS5AI score0.0023EPSS

CVE•added 2017/09/25 9:29 p.m.•40 views

CVE-2015-7293

Multiple cross-site request forgery (CSRF) vulnerabilities in Zope Management Interface 4.3.7 and earlier, and Plone before 5.x.

8.8CVSS8.9AI score0.00332EPSS

CVE•added 2017/03/07 4:59 p.m.•40 views

CVE-2016-7139

Cross-site scripting (XSS) vulnerability in an unspecified page template in Plone CMS 5.x through 5.0.6, 4.x through 4.3.11, and 3.3.x through 3.3.6 allows remote attackers to inject arbitrary web script or HTML via unknown vectors.

6.1CVSS5.9AI score0.00491EPSS

CVE•added 2017/02/24 8:59 p.m.•36 views

CVE-2016-4041

Plone 4.0 through 5.1a1 does not have security declarations for Dexterity content-related WebDAV requests, which allows remote attackers to gain webdav access via unspecified vectors.

7.5CVSS7.3AI score0.00429EPSS