CVSS: 4.9EPSS: 0%CPEs: 32EXPL: 2CVE-2016-7135 – Plone CMS 4.3.11 / 5.0.6 XSS / Traversal / Open Redirection
https://notcve.org/view.php?id=CVE-2016-7135
12 Oct 2016 — Directory traversal vulnerability in Plone CMS 5.x through 5.0.6 and 4.2.x through 4.3.11 allows remote administrators to read arbitrary files via a .. (dot dot) in the path parameter in a getFile action to Plone/++theme++barceloneta/@@plone.resourceeditor.filemanager-actions. Vulnerabilidad de salto de directorio en Plone CMS 5.x hasta la versión 5.0.6 y 4.2.x hasta la versión 4.3.11 permite a administradores remotos leer archivos arbitrarios a travçes de .. (punto punto) en el parámetro path en una acción... • https://packetstorm.news/files/id/139110 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.1EPSS: 0%CPEs: 49EXPL: 2CVE-2016-7136 – Plone CMS 4.3.11 / 5.0.6 XSS / Traversal / Open Redirection
https://notcve.org/view.php?id=CVE-2016-7136
12 Oct 2016 — z3c.form in Plone CMS 5.x through 5.0.6 and 4.x through 4.3.11 allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted GET request. z3c.form en Plone CMS 5.x hasta la versión 5.0.6 y 4.x hasta la versión 4.3.11 permite a atacantes remotos llevar a cabo ataques de XSS a través de una petición GET manipulada. Plone CMS versions 4.3.11 and below and versions 5.0.6 and below suffer from cross site scripting, open redirection, and path traversal vulnerabilities. • https://packetstorm.news/files/id/139110 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 56EXPL: 2CVE-2016-7137 – Plone CMS 4.3.11 / 5.0.6 XSS / Traversal / Open Redirection
https://notcve.org/view.php?id=CVE-2016-7137
12 Oct 2016 — Multiple open redirect vulnerabilities in Plone CMS 5.x through 5.0.6, 4.x through 4.3.11, and 3.3.x through 3.3.6 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the referer parameter to (1) %2b%2bgroupdashboard%2b%2bplone.dashboard1%2bgroup/%2b/portlets.Actions or (2) folder/%2b%2bcontextportlets%2b%2bplone.footerportlets/%2b /portlets.Actions or the (3) came_from parameter to /login_form. Múltiples vulnerabilidades de redirección abierta en Plone ... • https://packetstorm.news/files/id/139110 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 6.1EPSS: 0%CPEs: 56EXPL: 2CVE-2016-7138 – Plone CMS 4.3.11 / 5.0.6 XSS / Traversal / Open Redirection
https://notcve.org/view.php?id=CVE-2016-7138
12 Oct 2016 — Cross-site scripting (XSS) vulnerability in the URL checking infrastructure in Plone CMS 5.x through 5.0.6, 4.x through 4.3.11, and 3.3.x through 3.3.6 allows remote attackers to inject arbitrary web script or HTML via a crafted URL. Vulnerabilidad de XSS en la infraestructura de comprobación de URL en Plone CMS 5.x hasta la versión 5.0.6, 4.x hasta la versión 4.3.11 y 3.3.x hasta la versión 3.3.6 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de una URL manipula... • https://packetstorm.news/files/id/139110 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 56EXPL: 2CVE-2016-7139 – Plone CMS 4.3.11 / 5.0.6 XSS / Traversal / Open Redirection
https://notcve.org/view.php?id=CVE-2016-7139
12 Oct 2016 — Cross-site scripting (XSS) vulnerability in an unspecified page template in Plone CMS 5.x through 5.0.6, 4.x through 4.3.11, and 3.3.x through 3.3.6 allows remote attackers to inject arbitrary web script or HTML via unknown vectors. Vulnerabilidad de XSS en una plantilla de página no especificada en Plone CMS 5.x hasta la versión 5.0.6, 4.x hasta la versión 4.3.11 y 3.3.x hasta la versión 3.3.6 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de vectores desconocid... • https://packetstorm.news/files/id/139110 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 56EXPL: 2CVE-2016-7140 – Plone CMS 4.3.11 / 5.0.6 XSS / Traversal / Open Redirection
https://notcve.org/view.php?id=CVE-2016-7140
12 Oct 2016 — Multiple cross-site scripting (XSS) vulnerabilities in the ZMI page in Zope2 in Plone CMS 5.x through 5.0.6, 4.x through 4.3.11, and 3.3.x through 3.3.6 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. Múltiples vulnerabilidades de XSS en la página ZMI en Zope2 en Plone CMS 5.x hasta la versión 5.0.6, 4.x hasta la versión 4.3.11 y 3.3.x hasta la versión 3.3.6 permiten a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de vectores no espe... • https://packetstorm.news/files/id/139110 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 47EXPL: 3CVE-2015-7293 – Zope Management Interface 4.3.7 - Cross-Site Request Forgery
https://notcve.org/view.php?id=CVE-2015-7293
07 Oct 2015 — Multiple cross-site request forgery (CSRF) vulnerabilities in Zope Management Interface 4.3.7 and earlier, and Plone before 5.x. Existen múltiples vulnerabilidades de Cross-Site Request Forgery (CSRF) en Zope Management Interface 4.3.7 y anteriores, así como en Plone en versiones anteriores a la 5.x. Zope Management Interface version 4.3.7 suffers from a cross site request forgery vulnerability. • https://packetstorm.news/files/id/133889 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.3EPSS: 0%CPEs: 65EXPL: 1CVE-2012-6661
https://notcve.org/view.php?id=CVE-2012-6661
03 Nov 2014 — Zope before 2.13.19, as used in Plone before 4.2.3 and 4.3 before beta 1, does not reseed the pseudo-random number generator (PRNG), which makes it easier for remote attackers to guess the value via unspecified vectors. NOTE: this issue was SPLIT from CVE-2012-5508 due to different vulnerability types (ADT2). Zope anterior a 2.13.19, utilizado en Plone anterior a 4.2.3 y 4.3 anterior a beta 1, no resiembra el generador de números seudo aleatorios (PRNG), lo que facilita a atacantes remotos adivinar el valor... • http://www.openwall.com/lists/oss-security/2012/11/10/1 • CWE-310: Cryptographic Issues •
CVSS: 5.3EPSS: 0%CPEs: 64EXPL: 1CVE-2012-5508
https://notcve.org/view.php?id=CVE-2012-5508
03 Nov 2014 — The error pages in Plone before 4.2.3 and 4.3 before beta 1 allow remote attackers to obtain random numbers and derive the PRNG state for password resets via unspecified vectors. NOTE: this identifier was SPLIT per ADT2 due to different vulnerability types. CVE-2012-6661 was assigned for the PRNG reseeding issue in Zope. Las páginas de errores en Plone anterior a 4.2.3 y 4.3 anterior a beta 1 permiten a atacantes remotos obtener números aleatorios y derivar el estado PRNG para la restablecimiento de contras... • http://www.openwall.com/lists/oss-security/2012/11/10/1 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 8.5EPSS: 0%CPEs: 72EXPL: 0CVE-2012-5487
https://notcve.org/view.php?id=CVE-2012-5487
30 Sep 2014 — The sandbox whitelisting function (allowmodule.py) in Plone before 4.2.3 and 4.3 before beta 1 allows remote authenticated users with certain privileges to bypass the Python sandbox restriction and execute arbitrary Python code via vectors related to importing. La función sandbox whitelisting (allowmodule.py) en Plone anterior a 4.2.3 y 4.3 anterior a beta 1 permite a usuarios remotos autenticados con ciertos privilegios evadir la restricción sandbox de Python y ejecutar código Python arbitrario a través de... • http://www.openwall.com/lists/oss-security/2012/11/10/1 • CWE-264: Permissions, Privileges, and Access Controls •