CVSS: 6.1EPSS: 0%CPEs: 49EXPL: 2CVE-2016-7136 – Plone CMS 4.3.11 / 5.0.6 XSS / Traversal / Open Redirection
https://notcve.org/view.php?id=CVE-2016-7136
12 Oct 2016 — z3c.form in Plone CMS 5.x through 5.0.6 and 4.x through 4.3.11 allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted GET request. z3c.form en Plone CMS 5.x hasta la versión 5.0.6 y 4.x hasta la versión 4.3.11 permite a atacantes remotos llevar a cabo ataques de XSS a través de una petición GET manipulada. Plone CMS versions 4.3.11 and below and versions 5.0.6 and below suffer from cross site scripting, open redirection, and path traversal vulnerabilities. • https://packetstorm.news/files/id/139110 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 56EXPL: 2CVE-2016-7140 – Plone CMS 4.3.11 / 5.0.6 XSS / Traversal / Open Redirection
https://notcve.org/view.php?id=CVE-2016-7140
12 Oct 2016 — Multiple cross-site scripting (XSS) vulnerabilities in the ZMI page in Zope2 in Plone CMS 5.x through 5.0.6, 4.x through 4.3.11, and 3.3.x through 3.3.6 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. Múltiples vulnerabilidades de XSS en la página ZMI en Zope2 en Plone CMS 5.x hasta la versión 5.0.6, 4.x hasta la versión 4.3.11 y 3.3.x hasta la versión 3.3.6 permiten a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de vectores no espe... • https://packetstorm.news/files/id/139110 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 56EXPL: 2CVE-2016-7139 – Plone CMS 4.3.11 / 5.0.6 XSS / Traversal / Open Redirection
https://notcve.org/view.php?id=CVE-2016-7139
12 Oct 2016 — Cross-site scripting (XSS) vulnerability in an unspecified page template in Plone CMS 5.x through 5.0.6, 4.x through 4.3.11, and 3.3.x through 3.3.6 allows remote attackers to inject arbitrary web script or HTML via unknown vectors. Vulnerabilidad de XSS en una plantilla de página no especificada en Plone CMS 5.x hasta la versión 5.0.6, 4.x hasta la versión 4.3.11 y 3.3.x hasta la versión 3.3.6 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de vectores desconocid... • https://packetstorm.news/files/id/139110 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.9EPSS: 0%CPEs: 32EXPL: 2CVE-2016-7135 – Plone CMS 4.3.11 / 5.0.6 XSS / Traversal / Open Redirection
https://notcve.org/view.php?id=CVE-2016-7135
12 Oct 2016 — Directory traversal vulnerability in Plone CMS 5.x through 5.0.6 and 4.2.x through 4.3.11 allows remote administrators to read arbitrary files via a .. (dot dot) in the path parameter in a getFile action to Plone/++theme++barceloneta/@@plone.resourceeditor.filemanager-actions. Vulnerabilidad de salto de directorio en Plone CMS 5.x hasta la versión 5.0.6 y 4.2.x hasta la versión 4.3.11 permite a administradores remotos leer archivos arbitrarios a travçes de .. (punto punto) en el parámetro path en una acción... • https://packetstorm.news/files/id/139110 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 8.8EPSS: 0%CPEs: 47EXPL: 3CVE-2015-7293 – Zope Management Interface 4.3.7 - Cross-Site Request Forgery
https://notcve.org/view.php?id=CVE-2015-7293
07 Oct 2015 — Multiple cross-site request forgery (CSRF) vulnerabilities in Zope Management Interface 4.3.7 and earlier, and Plone before 5.x. Existen múltiples vulnerabilidades de Cross-Site Request Forgery (CSRF) en Zope Management Interface 4.3.7 y anteriores, así como en Plone en versiones anteriores a la 5.x. Zope Management Interface version 4.3.7 suffers from a cross site request forgery vulnerability. • https://packetstorm.news/files/id/133889 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.3EPSS: 0%CPEs: 65EXPL: 1CVE-2012-6661
https://notcve.org/view.php?id=CVE-2012-6661
03 Nov 2014 — Zope before 2.13.19, as used in Plone before 4.2.3 and 4.3 before beta 1, does not reseed the pseudo-random number generator (PRNG), which makes it easier for remote attackers to guess the value via unspecified vectors. NOTE: this issue was SPLIT from CVE-2012-5508 due to different vulnerability types (ADT2). Zope anterior a 2.13.19, utilizado en Plone anterior a 4.2.3 y 4.3 anterior a beta 1, no resiembra el generador de números seudo aleatorios (PRNG), lo que facilita a atacantes remotos adivinar el valor... • http://www.openwall.com/lists/oss-security/2012/11/10/1 • CWE-310: Cryptographic Issues •
CVSS: 5.3EPSS: 1%CPEs: 64EXPL: 1CVE-2012-5508
https://notcve.org/view.php?id=CVE-2012-5508
03 Nov 2014 — The error pages in Plone before 4.2.3 and 4.3 before beta 1 allow remote attackers to obtain random numbers and derive the PRNG state for password resets via unspecified vectors. NOTE: this identifier was SPLIT per ADT2 due to different vulnerability types. CVE-2012-6661 was assigned for the PRNG reseeding issue in Zope. Las páginas de errores en Plone anterior a 4.2.3 y 4.3 anterior a beta 1 permiten a atacantes remotos obtener números aleatorios y derivar el estado PRNG para la restablecimiento de contras... • http://www.openwall.com/lists/oss-security/2012/11/10/1 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.3EPSS: 0%CPEs: 72EXPL: 0CVE-2012-5506
https://notcve.org/view.php?id=CVE-2012-5506
30 Sep 2014 — python_scripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to cause a denial of service (infinite loop) via an RSS feed request for a folder the user does not have permission to access. python_scripts.py en Plone anterior a 4.2.3 y 4.3 anterior a beta 1 permite a atacantes remotos causar una denegación de servicio (bucle infinito) a través de una solicitud de alimentación RSS para una carpeta al cual el usuario no tiene permiso de acceso. • http://www.openwall.com/lists/oss-security/2012/11/10/1 • CWE-399: Resource Management Errors •
CVSS: 5.3EPSS: 0%CPEs: 72EXPL: 0CVE-2012-5503
https://notcve.org/view.php?id=CVE-2012-5503
30 Sep 2014 — ftp.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to read hidden folder contents via unspecified vectors. ftp.py en Plone anterior a 4.2.3 y 4.3 anterior a beta 1 permite a atacantes remotos leer el contenido de carpetas escondidas a través de vectores no especificados. • http://www.openwall.com/lists/oss-security/2012/11/10/1 •
CVSS: 5.3EPSS: 0%CPEs: 72EXPL: 0CVE-2012-5495
https://notcve.org/view.php?id=CVE-2012-5495
30 Sep 2014 — python_scripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via a crafted URL, related to "go_back." python_scripts.py en Plone anterior a 4.2.3 y 4.3 anterior a beta 1 permite a atacantes remotos ejecutar código Python a través de una URL manipulada, relacionado con 'go_back.' • http://www.openwall.com/lists/oss-security/2012/11/10/1 • CWE-94: Improper Control of Generation of Code ('Code Injection') •