Page 2 of 14 results (0.008 seconds)

CVSS: 6.1EPSS: 0%CPEs: 10EXPL: 0

Cross-site scripting (XSS) vulnerability in ZMI pages that use the manage_tabs_message in Zope 2.11.4, 2.11.2, 2.10.9, 2.10.7, 2.10.6, 2.10.5, 2.10.4, 2.10.2, 2.10.1, 2.12. Existe una vulnerabilidad de tipo cross-Site Scripting (XSS) en páginas ZMI que emplean manage_tabs_message en Zope 2.11.4, 2.11.2, 2.10.9, 2.10.7, 2.10.6, 2.10.5, 2.10.4, 2.10.2, 2.10.1, 2.12. • http://cve.killedkenny.io/cve/CVE-2009-5145 http://www.openwall.com/lists/oss-security/2015/03/02/7 http://www.securityfocus.com/bid/72792/info https://bugs.launchpad.net/zope2/+bug/490514 https://github.com/zopefoundation/Zope/commit/2abdf14620f146857dc8e3ffd2b6a754884c331d https://security-tracker.debian.org/tracker/CVE-2009-5145 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 5.0EPSS: 0%CPEs: 65EXPL: 1

Zope before 2.13.19, as used in Plone before 4.2.3 and 4.3 before beta 1, does not reseed the pseudo-random number generator (PRNG), which makes it easier for remote attackers to guess the value via unspecified vectors. NOTE: this issue was SPLIT from CVE-2012-5508 due to different vulnerability types (ADT2). Zope anterior a 2.13.19, utilizado en Plone anterior a 4.2.3 y 4.3 anterior a beta 1, no resiembra el generador de números seudo aleatorios (PRNG), lo que facilita a atacantes remotos adivinar el valor a través de vectores no especificados. NOTA: este problema fue dividido (SPLIT) de CVE-2012-5508 debido a tipos diferentes de vulnerabilidades (ADT2). • http://www.openwall.com/lists/oss-security/2012/11/10/1 https://bugs.launchpad.net/zope2/+bug/1071067 https://github.com/plone/Products.CMFPlone/blob/4.2.3/docs/CHANGES.txt https://plone.org/products/plone-hotfix/releases/20121124 https://plone.org/products/plone/security/advisories/20121106/24 • CWE-310: Cryptographic Issues •

CVSS: 4.3EPSS: 0%CPEs: 99EXPL: 0

AccessControl/AuthEncoding.py in Zope before 2.13.19, as used in Plone before 4.2.3 and 4.3 before beta 1, allows remote attackers to obtain passwords via vectors involving timing discrepancies in password validation. AccessControl/AuthEncoding.py en Zope anterior a 2.13.19, utilizado en Plone anterior a 4.2.3 y 4.3 anterior a beta 1, permite a atacantes remotos obtener contraseñas a través de vectores que involucran discrepancias de tiempos en la validación de contraseñas. • http://www.openwall.com/lists/oss-security/2012/11/10/1 https://bugs.launchpad.net/zope2/+bug/1071067 https://github.com/plone/Products.CMFPlone/blob/4.2.3/docs/CHANGES.txt https://plone.org/products/plone-hotfix/releases/20121106 https://plone.org/products/plone/security/advisories/20121106/23 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •

CVSS: 6.5EPSS: 0%CPEs: 109EXPL: 0

The App.Undo.UndoSupport.get_request_var_or_attr function in Zope before 2.12.21 and 3.13.x before 2.13.11, as used in Plone before 4.2.3 and 4.3 before beta 1, allows remote authenticated users to gain access to restricted attributes via unspecified vectors. La función App.Undo.UndoSupport.get_request_var_or_attr en Zope anterior a 2.12.21 y 3.13.x anterior a 2.13.11, utilizado en Plone anterior a 4.2.3 y 4.3 anterior a beta 1, permite a usuarios remotos autenticados ganar el acceso a atributos restringidos a través de vectores no especificados. • http://www.openwall.com/lists/oss-security/2012/11/10/1 https://bugs.launchpad.net/zope2/+bug/1079238 https://github.com/plone/Products.CMFPlone/blob/4.2.3/docs/CHANGES.txt https://plone.org/products/plone-hotfix/releases/20121106 https://plone.org/products/plone/security/advisories/20121106/05 • CWE-264: Permissions, Privileges, and Access Controls •

CVSS: 6.4EPSS: 1%CPEs: 99EXPL: 0

ZPublisher.HTTPRequest._scrubHeader in Zope 2 before 2.13.19, as used in Plone before 4.3 beta 1, allows remote attackers to inject arbitrary HTTP headers via a linefeed (LF) character. ZPublisher.HTTPRequest._scrubHeader en Zope 2 anterior a 2.13.19, utilizado en Plone anterior a 4.3 beta 1, permite a atacantes remotos inyectar cabeceras HTTP arbitrarias a través de un caracter 'linefeed' (LF). It was discovered that Plone, included as a part of luci, did not properly sanitize HTTP headers provided within certain URL requests. • http://rhn.redhat.com/errata/RHSA-2014-1194.html http://www.openwall.com/lists/oss-security/2012/11/10/1 https://bugs.launchpad.net/zope2/+bug/930812 https://plone.org/products/plone-hotfix/releases/20121106 https://plone.org/products/plone/security/advisories/20121106/02 https://access.redhat.com/security/cve/CVE-2012-5486 https://bugzilla.redhat.com/show_bug.cgi?id=878939 • CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') •