CVSS: 6.5EPSS: 0%CPEs: 109EXPL: 0CVE-2012-5489
https://notcve.org/view.php?id=CVE-2012-5489
The App.Undo.UndoSupport.get_request_var_or_attr function in Zope before 2.12.21 and 3.13.x before 2.13.11, as used in Plone before 4.2.3 and 4.3 before beta 1, allows remote authenticated users to gain access to restricted attributes via unspecified vectors. La función App.Undo.UndoSupport.get_request_var_or_attr en Zope anterior a 2.12.21 y 3.13.x anterior a 2.13.11, utilizado en Plone anterior a 4.2.3 y 4.3 anterior a beta 1, permite a usuarios remotos autenticados ganar el acceso a atributos restringidos a través de vectores no especificados. • http://www.openwall.com/lists/oss-security/2012/11/10/1 https://bugs.launchpad.net/zope2/+bug/1079238 https://github.com/plone/Products.CMFPlone/blob/4.2.3/docs/CHANGES.txt https://plone.org/products/plone-hotfix/releases/20121106 https://plone.org/products/plone/security/advisories/20121106/05 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 5.0EPSS: 0%CPEs: 72EXPL: 0CVE-2012-5492
https://notcve.org/view.php?id=CVE-2012-5492
uid_catalog.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to obtain metadata about hidden objects via a crafted URL. uid_catalog.py en Plone anterior a 4.2.3 y 4.3 anterior a beta 1 permite a atacantes remotos obtener metadatos sobre objetos escondidos a través de una URL manipulada. • http://www.openwall.com/lists/oss-security/2012/11/10/1 https://github.com/plone/Products.CMFPlone/blob/4.2.3/docs/CHANGES.txt https://plone.org/products/plone-hotfix/releases/20121106 https://plone.org/products/plone/security/advisories/20121106/08 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.0EPSS: 1%CPEs: 72EXPL: 0CVE-2012-5499 – (Plone): Partial denial of service through internal function
https://notcve.org/view.php?id=CVE-2012-5499
python_scripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to cause a denial of service (memory consumption) via a large value, related to formatColumns. python_scripts.py en Plone anterior a 4.2.3 y 4.3 anterior a beta 1 permite a atacantes remotos causar una denegación de servicio (consumo de memoria) a través de un valor grande, relacionado con formatColumns. It was discovered that Plone, included as a part of luci, did not properly handle the processing of very large values passed to an internal utility function. A remote attacker could use a specially crafted URL that, when processed, would lead to excessive memory consumption. • http://rhn.redhat.com/errata/RHSA-2014-1194.html http://www.openwall.com/lists/oss-security/2012/11/10/1 https://github.com/plone/Products.CMFPlone/blob/4.2.3/docs/CHANGES.txt https://plone.org/products/plone-hotfix/releases/20121106 https://plone.org/products/plone/security/advisories/20121106/15 https://access.redhat.com/security/cve/CVE-2012-5499 https://bugzilla.redhat.com/show_bug.cgi?id=874657 • CWE-399: Resource Management Errors CWE-400: Uncontrolled Resource Consumption •
CVSS: 5.0EPSS: 2%CPEs: 72EXPL: 0CVE-2012-5498 – (Plone): Partial denial of service through Collections functionality
https://notcve.org/view.php?id=CVE-2012-5498
queryCatalog.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to bypass caching and cause a denial of service via a crafted request to a collection. queryCatalog.py en Plone anterior a 4.2.3 y 4.3 anterior a beta 1 permite a atacantes remotos evadir el chacheo y causar una denegación de servicio a través de una solicitud manipulada en una colección. It was discovered that Plone, included as a part of luci, did not properly handle the processing of requests for certain collections. A remote attacker could use a specially crafted URL that, when processed, would lead to excessive I/O and/or cache resource consumption. • http://rhn.redhat.com/errata/RHSA-2014-1194.html http://www.openwall.com/lists/oss-security/2012/11/09/7 http://www.openwall.com/lists/oss-security/2012/11/10/1 https://github.com/plone/Products.CMFPlone/blob/4.2.3/docs/CHANGES.txt https://plone.org/products/plone-hotfix/releases/20121106 https://plone.org/products/plone/security/advisories/20121106/14 https://access.redhat.com/security/cve/CVE-2012-5498 https://bugzilla.redhat.com/show_bug.cgi?id=874665 • CWE-264: Permissions, Privileges, and Access Controls CWE-400: Uncontrolled Resource Consumption •
CVSS: 5.0EPSS: 0%CPEs: 72EXPL: 0CVE-2012-5497 – (Plone): Anonymous users can list user account names
https://notcve.org/view.php?id=CVE-2012-5497
membership_tool.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to enumerate user account names via a crafted URL. membership_tool.py en Plone anterior a 4.2.3 y 4.3 anterior a beta 1 permite a atacantes remotos enumerar los nombres de las cuentas de usuarios a través de una URL manipulada. It was discovered that Plone, included as a part of luci, did not properly enforce permissions checks on the membership database. A remote attacker could use a specially crafted URL that, when processed, could allow the attacker to enumerate user account names. • http://rhn.redhat.com/errata/RHSA-2014-1194.html http://www.openwall.com/lists/oss-security/2012/11/10/1 https://github.com/plone/Products.CMFPlone/blob/4.2.3/docs/CHANGES.txt https://plone.org/products/plone-hotfix/releases/20121106 https://plone.org/products/plone/security/advisories/20121106/13 https://access.redhat.com/security/cve/CVE-2012-5497 https://bugzilla.redhat.com/show_bug.cgi?id=874681 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •