CVSS: 5.0EPSS: 0%CPEs: 65EXPL: 1CVE-2012-6661
https://notcve.org/view.php?id=CVE-2012-6661
Zope before 2.13.19, as used in Plone before 4.2.3 and 4.3 before beta 1, does not reseed the pseudo-random number generator (PRNG), which makes it easier for remote attackers to guess the value via unspecified vectors. NOTE: this issue was SPLIT from CVE-2012-5508 due to different vulnerability types (ADT2). Zope anterior a 2.13.19, utilizado en Plone anterior a 4.2.3 y 4.3 anterior a beta 1, no resiembra el generador de números seudo aleatorios (PRNG), lo que facilita a atacantes remotos adivinar el valor a través de vectores no especificados. NOTA: este problema fue dividido (SPLIT) de CVE-2012-5508 debido a tipos diferentes de vulnerabilidades (ADT2). • http://www.openwall.com/lists/oss-security/2012/11/10/1 https://bugs.launchpad.net/zope2/+bug/1071067 https://github.com/plone/Products.CMFPlone/blob/4.2.3/docs/CHANGES.txt https://plone.org/products/plone-hotfix/releases/20121124 https://plone.org/products/plone/security/advisories/20121106/24 • CWE-310: Cryptographic Issues •
CVSS: 4.3EPSS: 0%CPEs: 99EXPL: 0CVE-2012-5507
https://notcve.org/view.php?id=CVE-2012-5507
AccessControl/AuthEncoding.py in Zope before 2.13.19, as used in Plone before 4.2.3 and 4.3 before beta 1, allows remote attackers to obtain passwords via vectors involving timing discrepancies in password validation. AccessControl/AuthEncoding.py en Zope anterior a 2.13.19, utilizado en Plone anterior a 4.2.3 y 4.3 anterior a beta 1, permite a atacantes remotos obtener contraseñas a través de vectores que involucran discrepancias de tiempos en la validación de contraseñas. • http://www.openwall.com/lists/oss-security/2012/11/10/1 https://bugs.launchpad.net/zope2/+bug/1071067 https://github.com/plone/Products.CMFPlone/blob/4.2.3/docs/CHANGES.txt https://plone.org/products/plone-hotfix/releases/20121106 https://plone.org/products/plone/security/advisories/20121106/23 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVSS: 6.5EPSS: 0%CPEs: 109EXPL: 0CVE-2012-5489
https://notcve.org/view.php?id=CVE-2012-5489
The App.Undo.UndoSupport.get_request_var_or_attr function in Zope before 2.12.21 and 3.13.x before 2.13.11, as used in Plone before 4.2.3 and 4.3 before beta 1, allows remote authenticated users to gain access to restricted attributes via unspecified vectors. La función App.Undo.UndoSupport.get_request_var_or_attr en Zope anterior a 2.12.21 y 3.13.x anterior a 2.13.11, utilizado en Plone anterior a 4.2.3 y 4.3 anterior a beta 1, permite a usuarios remotos autenticados ganar el acceso a atributos restringidos a través de vectores no especificados. • http://www.openwall.com/lists/oss-security/2012/11/10/1 https://bugs.launchpad.net/zope2/+bug/1079238 https://github.com/plone/Products.CMFPlone/blob/4.2.3/docs/CHANGES.txt https://plone.org/products/plone-hotfix/releases/20121106 https://plone.org/products/plone/security/advisories/20121106/05 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 6.4EPSS: 1%CPEs: 99EXPL: 0CVE-2012-5486 – (Plone): Reflexive HTTP header injection
https://notcve.org/view.php?id=CVE-2012-5486
ZPublisher.HTTPRequest._scrubHeader in Zope 2 before 2.13.19, as used in Plone before 4.3 beta 1, allows remote attackers to inject arbitrary HTTP headers via a linefeed (LF) character. ZPublisher.HTTPRequest._scrubHeader en Zope 2 anterior a 2.13.19, utilizado en Plone anterior a 4.3 beta 1, permite a atacantes remotos inyectar cabeceras HTTP arbitrarias a través de un caracter 'linefeed' (LF). It was discovered that Plone, included as a part of luci, did not properly sanitize HTTP headers provided within certain URL requests. • http://rhn.redhat.com/errata/RHSA-2014-1194.html http://www.openwall.com/lists/oss-security/2012/11/10/1 https://bugs.launchpad.net/zope2/+bug/930812 https://plone.org/products/plone-hotfix/releases/20121106 https://plone.org/products/plone/security/advisories/20121106/02 https://access.redhat.com/security/cve/CVE-2012-5486 https://bugzilla.redhat.com/show_bug.cgi?id=878939 • CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') •
CVSS: 4.3EPSS: 0%CPEs: 64EXPL: 0CVE-2010-1104 – zope: XSS on error page
https://notcve.org/view.php?id=CVE-2010-1104
Cross-site scripting (XSS) vulnerability in Zope 2.8.x before 2.8.12, 2.9.x before 2.9.12, 2.10.x before 2.10.11, 2.11.x before 2.11.6, and 2.12.x before 2.12.3 allows remote attackers to inject arbitrary web script or HTML via vectors related to error messages. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados en Zope v2.8.x antes de v2.8.12, v2.9.x antes de v2.9.12, v2.10.x antes de v2.10.11, v2.11.x antes de v2.11.6 y v2.12.x antes de v2.12.3 permite a atacantes remotos inyectar HTML o scripts web a través de vectores relacionados con los mensajes de error. • http://secunia.com/advisories/38007 http://www.osvdb.org/61655 http://www.securityfocus.com/bid/37765 http://www.vupen.com/english/advisories/2010/0104 https://exchange.xforce.ibmcloud.com/vulnerabilities/55599 https://mail.zope.org/pipermail/zope-announce/2010-January/002229.html https://access.redhat.com/security/cve/CVE-2010-1104 https://bugzilla.redhat.com/show_bug.cgi?id=577019 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •