Page 2 of 17 results (0.007 seconds)

CVSS: 5.0EPSS: 0%CPEs: 65EXPL: 1

Zope before 2.13.19, as used in Plone before 4.2.3 and 4.3 before beta 1, does not reseed the pseudo-random number generator (PRNG), which makes it easier for remote attackers to guess the value via unspecified vectors. NOTE: this issue was SPLIT from CVE-2012-5508 due to different vulnerability types (ADT2). Zope anterior a 2.13.19, utilizado en Plone anterior a 4.2.3 y 4.3 anterior a beta 1, no resiembra el generador de números seudo aleatorios (PRNG), lo que facilita a atacantes remotos adivinar el valor a través de vectores no especificados. NOTA: este problema fue dividido (SPLIT) de CVE-2012-5508 debido a tipos diferentes de vulnerabilidades (ADT2). • http://www.openwall.com/lists/oss-security/2012/11/10/1 https://bugs.launchpad.net/zope2/+bug/1071067 https://github.com/plone/Products.CMFPlone/blob/4.2.3/docs/CHANGES.txt https://plone.org/products/plone-hotfix/releases/20121124 https://plone.org/products/plone/security/advisories/20121106/24 • CWE-310: Cryptographic Issues •

CVSS: 4.3EPSS: 0%CPEs: 99EXPL: 0

AccessControl/AuthEncoding.py in Zope before 2.13.19, as used in Plone before 4.2.3 and 4.3 before beta 1, allows remote attackers to obtain passwords via vectors involving timing discrepancies in password validation. AccessControl/AuthEncoding.py en Zope anterior a 2.13.19, utilizado en Plone anterior a 4.2.3 y 4.3 anterior a beta 1, permite a atacantes remotos obtener contraseñas a través de vectores que involucran discrepancias de tiempos en la validación de contraseñas. • http://www.openwall.com/lists/oss-security/2012/11/10/1 https://bugs.launchpad.net/zope2/+bug/1071067 https://github.com/plone/Products.CMFPlone/blob/4.2.3/docs/CHANGES.txt https://plone.org/products/plone-hotfix/releases/20121106 https://plone.org/products/plone/security/advisories/20121106/23 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •

CVSS: 6.5EPSS: 0%CPEs: 109EXPL: 0

The App.Undo.UndoSupport.get_request_var_or_attr function in Zope before 2.12.21 and 3.13.x before 2.13.11, as used in Plone before 4.2.3 and 4.3 before beta 1, allows remote authenticated users to gain access to restricted attributes via unspecified vectors. La función App.Undo.UndoSupport.get_request_var_or_attr en Zope anterior a 2.12.21 y 3.13.x anterior a 2.13.11, utilizado en Plone anterior a 4.2.3 y 4.3 anterior a beta 1, permite a usuarios remotos autenticados ganar el acceso a atributos restringidos a través de vectores no especificados. • http://www.openwall.com/lists/oss-security/2012/11/10/1 https://bugs.launchpad.net/zope2/+bug/1079238 https://github.com/plone/Products.CMFPlone/blob/4.2.3/docs/CHANGES.txt https://plone.org/products/plone-hotfix/releases/20121106 https://plone.org/products/plone/security/advisories/20121106/05 • CWE-264: Permissions, Privileges, and Access Controls •

CVSS: 6.4EPSS: 1%CPEs: 99EXPL: 0

ZPublisher.HTTPRequest._scrubHeader in Zope 2 before 2.13.19, as used in Plone before 4.3 beta 1, allows remote attackers to inject arbitrary HTTP headers via a linefeed (LF) character. ZPublisher.HTTPRequest._scrubHeader en Zope 2 anterior a 2.13.19, utilizado en Plone anterior a 4.3 beta 1, permite a atacantes remotos inyectar cabeceras HTTP arbitrarias a través de un caracter 'linefeed' (LF). It was discovered that Plone, included as a part of luci, did not properly sanitize HTTP headers provided within certain URL requests. • http://rhn.redhat.com/errata/RHSA-2014-1194.html http://www.openwall.com/lists/oss-security/2012/11/10/1 https://bugs.launchpad.net/zope2/+bug/930812 https://plone.org/products/plone-hotfix/releases/20121106 https://plone.org/products/plone/security/advisories/20121106/02 https://access.redhat.com/security/cve/CVE-2012-5486 https://bugzilla.redhat.com/show_bug.cgi?id=878939 • CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') •

CVSS: 4.0EPSS: 3%CPEs: 162EXPL: 1

PythonScripts in Zope 2 2.11.2 and earlier, as used in Conga and other products, allows remote authenticated users to cause a denial of service (resource consumption or application halt) via certain (1) raise or (2) import statements. PythonScripts en Zope 2 2.11.2 y anteriores, como se usa en Conga y otros productos, permite a usuarios remotamente autentificados provocar una denegación de servicio (agotamiento de recursos o parada de aplicación) mediante ciertas sentencias (1) raise o (2) import. • https://www.exploit-db.com/exploits/32581 http://bugs.gentoo.org/show_bug.cgi?id=246411 http://mail.zope.org/pipermail/zope/2008-August/174025.html http://openwall.com/lists/oss-security/2008/11/12/2 http://www.vupen.com/english/advisories/2008/2418 http://www.zope.org/Products/Zope/Hotfix-2008-08-12/Hotfix_20080812-1.1.0.tar.gz http://www.zope.org/Products/Zope/Hotfix-2008-08-12/README.txt https://bugs.launchpad.net/zope2/+bug/257269 https://bugs • CWE-399: Resource Management Errors •