Page 21 of 111 results (0.007 seconds)

CVSS: 6.0EPSS: 0%CPEs: 7EXPL: 0

CVE-2009-0662

https://notcve.org/view.php?id=CVE-2009-0662

The PlonePAS product 3.x before 3.9 and 3.2.x before 3.2.2, a product for Plone, does not properly handle the login form, which allows remote authenticated users to acquire the identity of an arbitrary user via unspecified vectors. El producto PlonePAS 3.x anterior a la version 3.9 y 3.2.x en versiones anteriores a la 3.2.2, un producto para Plone, no maneja adecuadamente el formulario de login, lo que permite a atacantes remotos autenticados adquirir la identidad de un usuario de su elección a través de vectores no especificados. • http://osvdb.org/53975 http://plone.org/products/plone/security/advisories/cve-2009-0662 http://secunia.com/advisories/34840 http://www.securityfocus.com/bid/34664 https://exchange.xforce.ibmcloud.com/vulnerabilities/50061 • CWE-287: Improper Authentication •

CVSS: 4.3EPSS: 0%CPEs: 11EXPL: 1

CVE-2008-4571

https://notcve.org/view.php?id=CVE-2008-4571

Cross-site scripting (XSS) vulnerability in the LiveSearch module in Plone before 3.0.4 allows remote attackers to inject arbitrary web script or HTML via the Description field for search results, as demonstrated using the onerror Javascript even in an IMG tag. Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en el módulo LiveSearch de Plone antes de 3.0.4 permite a atacantes remotos inyectar secuencias de comandos web o HTML mediante el campo Description para resultados de búsqueda, como se demostró utilizando el evento Javascript onerror en una etiqueta IMG. • http://dev.plone.org/plone/ticket/7439 http://osvdb.org/40660 http://plone.org/products/plone/releases/3.0.4 http://secunia.com/advisories/28293 http://www.securityfocus.com/bid/27098 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0

CVE-2008-1396

https://notcve.org/view.php?id=CVE-2008-1396

Plone CMS 3.x uses invariant data (a client username and a server secret) when calculating an HMAC-SHA1 value for an authentication cookie, which makes it easier for remote attackers to gain permanent access to an account by sniffing the network. Plone CMS 3.x utiliza datos no variables (un nombre de usario y un servidor secreto) cuando calcula un valor HMAC-SHA1 para la cookie de autenticación, facilitando que atacantes remotos obtengan acceso permanente a una cuenta mediante la escucha del tráfico de red. • http://securityreason.com/securityalert/3754 http://www.procheckup.com/Hacking_Plone_CMS.pdf http://www.securityfocus.com/archive/1/489544/100/0/threaded https://exchange.xforce.ibmcloud.com/vulnerabilities/41421 • CWE-255: Credentials Management Errors •

CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0

CVE-2008-1395

https://notcve.org/view.php?id=CVE-2008-1395

Plone CMS does not record users' authentication states, and implements the logout feature solely on the client side, which makes it easier for context-dependent attackers to reuse a logged-out session. Plone CMS no registra el estado de autenticación de los usarios, e implementa la función de desconexión sólo en el lado del cliente, facilitando la reutilización de sesiones finalizadas por atacantes dependientes del contexto. • http://securityreason.com/securityalert/3754 http://www.procheckup.com/Hacking_Plone_CMS.pdf http://www.securityfocus.com/archive/1/489544/100/0/threaded https://exchange.xforce.ibmcloud.com/vulnerabilities/41423 • CWE-287: Improper Authentication •

CVSS: 10.0EPSS: 1%CPEs: 2EXPL: 2

CVE-2008-1393

https://notcve.org/view.php?id=CVE-2008-1393

Plone CMS 3.0.5, and probably other 3.x versions, places a base64 encoded form of the username and password in the __ac cookie for the admin account, which makes it easier for remote attackers to obtain administrative privileges by sniffing the network. Plone CMS 3.0.5, y probablemente otras versiones 3.x, coloca en formato codificado base64 el nombre de usuario y contraseña del usuario admin en la cookie __ac, facilitando a atacantes remotos la obtención de privilegios de adminitrador mediante la escucha del tráfico de red. • http://plone.org/documentation/how-to/secure-login-without-plain-text-passwords http://plone.org/products/plone/roadmap/48? http://securityreason.com/securityalert/3754 http://www.procheckup.com/Hacking_Plone_CMS.pdf http://www.securityfocus.com/archive/1/489544/100/0/threaded https://exchange.xforce.ibmcloud.com/vulnerabilities/41427 • CWE-255: Credentials Management Errors •