Page 12 of 58 results (0.003 seconds)

CVSS: 5.0EPSS: 0%CPEs: 52EXPL: 0

The object manager implementation (objectmanager.py) in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 does not properly restrict access to internal methods, which allows remote attackers to obtain sensitive information via a crafted request. La implementación object manager (objectmanager.py) en Plone 2.1 hasta 4.1, 4.2.x hasta 4.2.5 y 4.3.x hasta 4.3.1 no restringe debidamente acceso a los métodos internos, lo que permite a atacantes remotos obtener información sensible a través de una solicitud manipulada. • http://plone.org/products/plone-hotfix/releases/20130618 http://plone.org/products/plone/security/advisories/20130618-announcement http://seclists.org/oss-sec/2013/q3/261 https://bugzilla.redhat.com/show_bug.cgi?id=978475 • CWE-264: Permissions, Privileges, and Access Controls •

CVSS: 4.3EPSS: 0%CPEs: 52EXPL: 0

traverser.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 allows remote attackers with administrator privileges to cause a denial of service (infinite loop and resource consumption) via unspecified vectors related to "retrieving information for certain resources." traverser.py en Plone 2.1 hasta 4.1, 4.2.x hasta 4.2.5 y 4.3.x hasta 4.3.1 permite a atacantes remotos con privilegios de administrador causar una denegación de servicio (bucle infinito y consumo de recursos) a través de vectores no especificados relacionados con "la recuperación de información para ciertos recursos." • http://plone.org/products/plone-hotfix/releases/20130618 http://plone.org/products/plone/security/advisories/20130618-announcement http://seclists.org/oss-sec/2013/q3/261 https://bugzilla.redhat.com/show_bug.cgi?id=978449 • CWE-399: Resource Management Errors •

CVSS: 5.8EPSS: 4%CPEs: 46EXPL: 1

The isURLInPortal method in the URLTool class in in_portal.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 treats URLs starting with a space as a relative URL, which allows remote attackers to bypass the allow_external_login_sites filtering property, redirect users to arbitrary web sites, and conduct phishing attacks via a space before a URL in the "next" parameter to acl_users/credentials_cookie_auth/require_login. El método isURLInPortal en la clase URLTool en in_portal.py en Plone 2.1 a 4.1, 4.2.x hasta 4.2.5 y 4.3.x hasta 4.3.1, trata las URLs que comienzan con un espacio como URLs relativas, lo cual permite a atacantes sortear la propiedad de filtrado allow_external_login_sites, redirigiendo a usuarios a sitios web arbitrarios, y efectuando ataques de phishing a través de un espacio antes de la URL en el parámetro "next" en acl_users/credentials_cookie_auth/require_login. Plone CMS suffers from a URL redirection credential disclosure vulnerability. • https://www.exploit-db.com/exploits/38738 http://plone.org/products/plone-hotfix/releases/20130618 http://plone.org/products/plone/security/advisories/20130618-announcement http://www.openwall.com/lists/oss-security/2013/08/01/2 http://www.securityfocus.com/archive/1/530787/100/0/threaded https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4200 • CWE-264: Permissions, Privileges, and Access Controls •