Page 12 of 92 results (0.017 seconds)

CVSS: 5.0EPSS: 1%CPEs: 72EXPL: 0

python_scripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to cause a denial of service (memory consumption) via a large value, related to formatColumns. python_scripts.py en Plone anterior a 4.2.3 y 4.3 anterior a beta 1 permite a atacantes remotos causar una denegación de servicio (consumo de memoria) a través de un valor grande, relacionado con formatColumns. It was discovered that Plone, included as a part of luci, did not properly handle the processing of very large values passed to an internal utility function. A remote attacker could use a specially crafted URL that, when processed, would lead to excessive memory consumption. • http://rhn.redhat.com/errata/RHSA-2014-1194.html http://www.openwall.com/lists/oss-security/2012/11/10/1 https://github.com/plone/Products.CMFPlone/blob/4.2.3/docs/CHANGES.txt https://plone.org/products/plone-hotfix/releases/20121106 https://plone.org/products/plone/security/advisories/20121106/15 https://access.redhat.com/security/cve/CVE-2012-5499 https://bugzilla.redhat.com/show_bug.cgi?id=874657 • CWE-399: Resource Management Errors CWE-400: Uncontrolled Resource Consumption •

CVSS: 5.0EPSS: 2%CPEs: 72EXPL: 0

queryCatalog.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to bypass caching and cause a denial of service via a crafted request to a collection. queryCatalog.py en Plone anterior a 4.2.3 y 4.3 anterior a beta 1 permite a atacantes remotos evadir el chacheo y causar una denegación de servicio a través de una solicitud manipulada en una colección. It was discovered that Plone, included as a part of luci, did not properly handle the processing of requests for certain collections. A remote attacker could use a specially crafted URL that, when processed, would lead to excessive I/O and/or cache resource consumption. • http://rhn.redhat.com/errata/RHSA-2014-1194.html http://www.openwall.com/lists/oss-security/2012/11/09/7 http://www.openwall.com/lists/oss-security/2012/11/10/1 https://github.com/plone/Products.CMFPlone/blob/4.2.3/docs/CHANGES.txt https://plone.org/products/plone-hotfix/releases/20121106 https://plone.org/products/plone/security/advisories/20121106/14 https://access.redhat.com/security/cve/CVE-2012-5498 https://bugzilla.redhat.com/show_bug.cgi?id=874665 • CWE-264: Permissions, Privileges, and Access Controls CWE-400: Uncontrolled Resource Consumption •

CVSS: 5.0EPSS: 0%CPEs: 72EXPL: 0

membership_tool.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to enumerate user account names via a crafted URL. membership_tool.py en Plone anterior a 4.2.3 y 4.3 anterior a beta 1 permite a atacantes remotos enumerar los nombres de las cuentas de usuarios a través de una URL manipulada. It was discovered that Plone, included as a part of luci, did not properly enforce permissions checks on the membership database. A remote attacker could use a specially crafted URL that, when processed, could allow the attacker to enumerate user account names. • http://rhn.redhat.com/errata/RHSA-2014-1194.html http://www.openwall.com/lists/oss-security/2012/11/10/1 https://github.com/plone/Products.CMFPlone/blob/4.2.3/docs/CHANGES.txt https://plone.org/products/plone-hotfix/releases/20121106 https://plone.org/products/plone/security/advisories/20121106/13 https://access.redhat.com/security/cve/CVE-2012-5497 https://bugzilla.redhat.com/show_bug.cgi?id=874681 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •

CVSS: 6.8EPSS: 1%CPEs: 72EXPL: 0

registerConfiglet.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via unspecified vectors, related to the admin interface. registerConfiglet.py en Plone anterior a 4.2.3 y 4.3 anterior a beta 1 permite a atacantes remotos ejecutar código Python a través de vectores no especificados, relacionado con la interfaz de administración. It was discovered that Plone, included as a part of luci, did not properly protect the administrator interface (control panel). A remote attacker could use this flaw to inject a specially crafted Python statement or script into Plone's restricted Python sandbox that, when the administrator interface was accessed, would be executed with the privileges of that administrator user. • http://rhn.redhat.com/errata/RHSA-2014-1194.html http://www.openwall.com/lists/oss-security/2012/11/10/1 https://github.com/plone/Products.CMFPlone/blob/4.2.3/docs/CHANGES.txt https://plone.org/products/plone-hotfix/releases/20121106 https://plone.org/products/plone/security/advisories/20121106/01 https://access.redhat.com/security/cve/CVE-2012-5485 https://bugzilla.redhat.com/show_bug.cgi?id=878934 • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-306: Missing Authentication for Critical Function •

CVSS: 4.3EPSS: 0%CPEs: 64EXPL: 0

The batch id change script (renameObjectsByPaths.py) in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to change the titles of content items by leveraging a valid CSRF token in a crafted request. La secuencias de comandos de cambio de id de batch (renameObjectsByPaths.py) en Plone anterior a 4.2.3 y 4.3 anterior a beta 1 permite a atacantes remotos cambiar los títulos de elementos del contenido mediante el aprovechamiento de un token CSRF válido en una solicitud manipulada. It was discovered that Plone, included as a part of luci, allowed a remote anonymous user to change titles of content items due to improper permissions checks. • http://rhn.redhat.com/errata/RHSA-2014-1194.html http://www.openwall.com/lists/oss-security/2012/11/10/1 https://github.com/plone/Products.CMFPlone/blob/4.2.3/docs/CHANGES.txt https://plone.org/products/plone-hotfix/releases/20121106 https://plone.org/products/plone/security/advisories/20121106/16 https://access.redhat.com/security/cve/CVE-2012-5500 https://bugzilla.redhat.com/show_bug.cgi?id=874649 • CWE-284: Improper Access Control CWE-352: Cross-Site Request Forgery (CSRF) •