Page 14 of 75 results (0.050 seconds)

CVSS: 5.8EPSS: 0%CPEs: 52EXPL: 0

Multiple open redirect vulnerabilities in (1) marmoset_patch.py, (2) publish.py, and (3) principiaredirect.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors. Múltiples vulnerabilidades de redirección abierta en (1) marmoset_patch.py, (2) publish.py y (3) principiaredirect.py en Plone 2.1 hasta 4.1, 4.2.x hasta 4.2.5 y 4.3.x hasta 4.3.1 permiten a atacantes remotos redirigir usuarios a sitios web arbitrarios y realizar ataques de phishing a través de vectores no especificados. • http://plone.org/products/plone-hotfix/releases/20130618 http://plone.org/products/plone/security/advisories/20130618-announcement http://seclists.org/oss-sec/2013/q3/261 https://bugzilla.redhat.com/show_bug.cgi?id=978471 • CWE-20: Improper Input Validation •

CVSS: 5.0EPSS: 0%CPEs: 52EXPL: 0

The object manager implementation (objectmanager.py) in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 does not properly restrict access to internal methods, which allows remote attackers to obtain sensitive information via a crafted request. La implementación object manager (objectmanager.py) en Plone 2.1 hasta 4.1, 4.2.x hasta 4.2.5 y 4.3.x hasta 4.3.1 no restringe debidamente acceso a los métodos internos, lo que permite a atacantes remotos obtener información sensible a través de una solicitud manipulada. • http://plone.org/products/plone-hotfix/releases/20130618 http://plone.org/products/plone/security/advisories/20130618-announcement http://seclists.org/oss-sec/2013/q3/261 https://bugzilla.redhat.com/show_bug.cgi?id=978475 • CWE-264: Permissions, Privileges, and Access Controls •

CVSS: 4.3EPSS: 0%CPEs: 52EXPL: 0

traverser.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 allows remote attackers with administrator privileges to cause a denial of service (infinite loop and resource consumption) via unspecified vectors related to "retrieving information for certain resources." traverser.py en Plone 2.1 hasta 4.1, 4.2.x hasta 4.2.5 y 4.3.x hasta 4.3.1 permite a atacantes remotos con privilegios de administrador causar una denegación de servicio (bucle infinito y consumo de recursos) a través de vectores no especificados relacionados con "la recuperación de información para ciertos recursos." • http://plone.org/products/plone-hotfix/releases/20130618 http://plone.org/products/plone/security/advisories/20130618-announcement http://seclists.org/oss-sec/2013/q3/261 https://bugzilla.redhat.com/show_bug.cgi?id=978449 • CWE-399: Resource Management Errors •

CVSS: 5.8EPSS: 4%CPEs: 46EXPL: 1

The isURLInPortal method in the URLTool class in in_portal.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 treats URLs starting with a space as a relative URL, which allows remote attackers to bypass the allow_external_login_sites filtering property, redirect users to arbitrary web sites, and conduct phishing attacks via a space before a URL in the "next" parameter to acl_users/credentials_cookie_auth/require_login. El método isURLInPortal en la clase URLTool en in_portal.py en Plone 2.1 a 4.1, 4.2.x hasta 4.2.5 y 4.3.x hasta 4.3.1, trata las URLs que comienzan con un espacio como URLs relativas, lo cual permite a atacantes sortear la propiedad de filtrado allow_external_login_sites, redirigiendo a usuarios a sitios web arbitrarios, y efectuando ataques de phishing a través de un espacio antes de la URL en el parámetro "next" en acl_users/credentials_cookie_auth/require_login. Plone CMS suffers from a URL redirection credential disclosure vulnerability. • https://www.exploit-db.com/exploits/38738 http://plone.org/products/plone-hotfix/releases/20130618 http://plone.org/products/plone/security/advisories/20130618-announcement http://www.openwall.com/lists/oss-security/2013/08/01/2 http://www.securityfocus.com/archive/1/530787/100/0/threaded https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4200 • CWE-264: Permissions, Privileges, and Access Controls •

CVSS: 5.0EPSS: 1%CPEs: 62EXPL: 0

Plone 4.1.3 and earlier computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters. Plone v4.1.3 y anteriores calcula los valores hash de los parámetros de forma, sin restringir la capacidad de desencadenar colisiones hash predecible, lo que permite a atacantes remotos provocar una denegación de servicio (consumo de CPU) mediante el envío de gran cantidad de parámetros a mano. • http://archives.neohapsis.com/archives/bugtraq/2011-12/0181.html http://secunia.com/advisories/47406 http://www.kb.cert.org/vuls/id/903934 http://www.nruns.com/_downloads/advisory28122011.pdf http://www.ocert.org/advisories/ocert-2011-003.html https://exchange.xforce.ibmcloud.com/vulnerabilities/72018 • CWE-20: Improper Input Validation •