Page 2 of 37 results (0.002 seconds)

CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 0

Zope Products.CMFCore before 2.5.1 and Products.PluggableAuthService before 2.6.2, as used in Plone through 5.2.4 and other products, allow Reflected XSS. Zope Products.CMFCore. versiones anteriores a 2.5.1, y Products.PluggableAuthService versiones anteriores a 2.6.2, como es usado en Plone versiones hasta 5.2.4, y otros productos, permiten un ataque de tipo XSS Reflejado • http://www.openwall.com/lists/oss-security/2021/05/22/1 https://plone.org/security/hotfix/20210518/reflected-xss-in-various-spots • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 8.8EPSS: 1%CPEs: 4EXPL: 1

Zope is an open-source web application server. In Zope versions prior to 4.6 and 5.2, users can access untrusted modules indirectly through Python modules that are available for direct use. By default, only users with the Manager role can add or edit Zope Page Templates through the web, but sites that allow untrusted users to add/edit Zope Page Templates through the web are at risk from this vulnerability. The problem has been fixed in Zope 5.2 and 4.6. As a workaround, a site administrator can restrict adding/editing Zope Page Templates through the web using the standard Zope user/role permission mechanisms. • http://www.openwall.com/lists/oss-security/2021/05/21/1 http://www.openwall.com/lists/oss-security/2021/05/22/1 https://cyllective.com/blog/post/plone-authenticated-rce-cve-2021-32633 https://github.com/zopefoundation/Zope/commit/1f8456bf1f908ea46012537d52bd7e752a532c91 https://github.com/zopefoundation/Zope/security/advisories/GHSA-5pr9-v234-jw36 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •

CVSS: 6.1EPSS: 0%CPEs: 6EXPL: 0

Cross-site scripting (XSS) vulnerability in Zope 2.8.x before 2.8.12, 2.9.x before 2.9.12, 2.10.x before 2.10.11, 2.11.x before 2.11.6, and 2.12.x before 2.12.3, 3.1.1 through 3.4.1. allows remote attackers to inject arbitrary web script or HTML via vectors related to the way error messages perform sanitization. NOTE: this issue exists because of an incomplete fix for CVE-2010-1104 Vulnerabilidad de tipo cross-site scripting (XSS) en Zope versiones 2.8.x anteriores a 2.8.12, versiones 2.9.x anteriores a 2.9.12, versiones 2.10.x anteriores a 2.10.11, versiones 2.11.x anteriores a 2.11.6 y versiones 2.12.x versiones anteriores a 2.12.3 , versiones 3.1.1 hasta 3.4.1, permite a atacantes remotos inyectar script web o HTML arbitrario por medio de vectores relacionados con la forma en que los mensajes de error realizan el saneamiento. NOTA: este problema se presenta debido a una solución incompleta para CVE-2010-1104 • http://www.openwall.com/lists/oss-security/2012/01/19/16 http://www.openwall.com/lists/oss-security/2012/01/19/17 http://www.openwall.com/lists/oss-security/2012/01/19/18 http://www.openwall.com/lists/oss-security/2012/01/19/19 https://access.redhat.com/security/cve/cve-2011-4924 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-4924 https://security-tracker.debian.org/tracker/CVE-2011-4924 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 6.1EPSS: 0%CPEs: 10EXPL: 0

Cross-site scripting (XSS) vulnerability in ZMI pages that use the manage_tabs_message in Zope 2.11.4, 2.11.2, 2.10.9, 2.10.7, 2.10.6, 2.10.5, 2.10.4, 2.10.2, 2.10.1, 2.12. Existe una vulnerabilidad de tipo cross-Site Scripting (XSS) en páginas ZMI que emplean manage_tabs_message en Zope 2.11.4, 2.11.2, 2.10.9, 2.10.7, 2.10.6, 2.10.5, 2.10.4, 2.10.2, 2.10.1, 2.12. • http://cve.killedkenny.io/cve/CVE-2009-5145 http://www.openwall.com/lists/oss-security/2015/03/02/7 http://www.securityfocus.com/bid/72792/info https://bugs.launchpad.net/zope2/+bug/490514 https://github.com/zopefoundation/Zope/commit/2abdf14620f146857dc8e3ffd2b6a754884c331d https://security-tracker.debian.org/tracker/CVE-2009-5145 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 8.8EPSS: 0%CPEs: 47EXPL: 2

Multiple cross-site request forgery (CSRF) vulnerabilities in Zope Management Interface 4.3.7 and earlier, and Plone before 5.x. Existen múltiples vulnerabilidades de Cross-Site Request Forgery (CSRF) en Zope Management Interface 4.3.7 y anteriores, así como en Plone en versiones anteriores a la 5.x. Zope Management Interface version 4.3.7 suffers from a cross site request forgery vulnerability. • https://www.exploit-db.com/exploits/38411 http://packetstormsecurity.com/files/133889/Zope-Management-Interface-4.3.7-Cross-Site-Request-Forgery.html https://plone.org/security/hotfix/20151006 https://pypi.python.org/pypi/plone4.csrffixes • CWE-352: Cross-Site Request Forgery (CSRF) •