CVSS: 5.3EPSS: 0%CPEs: 62EXPL: 0CVE-2011-4462
https://notcve.org/view.php?id=CVE-2011-4462
30 Dec 2011 — Plone 4.1.3 and earlier computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters. Plone v4.1.3 y anteriores calcula los valores hash de los parámetros de forma, sin restringir la capacidad de desencadenar colisiones hash predecible, lo que permite a atacantes remotos provocar una denegación de servicio (consumo de CPU) mediante el envío de gr... • http://archives.neohapsis.com/archives/bugtraq/2011-12/0181.html • CWE-20: Improper Input Validation •
CVSS: 4.3EPSS: 0%CPEs: 21EXPL: 1CVE-2011-1340
https://notcve.org/view.php?id=CVE-2011-1340
05 Aug 2011 — Cross-site scripting (XSS) vulnerability in skins/plone_templates/default_error_message.pt in Plone before 2.5.3 allows remote attackers to inject arbitrary web script or HTML via the type_name parameter to Members/ipa/createObject. Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en skins/plone_templates/default_error_message.pt de Plone en versiones anteriores a la 2.5.3. Permite a usuarios remotos inyectar codigo de script web o código HTML de su elección a través del parámetro type_name... • http://dev.plone.org/plone/changeset/12262 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 57EXPL: 0CVE-2011-1948 – plone: A reflected cross site scripting vulnerability
https://notcve.org/view.php?id=CVE-2011-1948
06 Jun 2011 — Cross-site scripting (XSS) vulnerability in Plone 4.1 and earlier allows remote attackers to inject arbitrary web script or HTML via a crafted URL. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados (XSS) en Plone v4.1 y anteriores , permite a atacantes remotos inyectar secuencias de comandos web o HTML a través una URL manipulada. • http://osvdb.org/72727 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 11EXPL: 1CVE-2008-4571
https://notcve.org/view.php?id=CVE-2008-4571
15 Oct 2008 — Cross-site scripting (XSS) vulnerability in the LiveSearch module in Plone before 3.0.4 allows remote attackers to inject arbitrary web script or HTML via the Description field for search results, as demonstrated using the onerror Javascript even in an IMG tag. Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en el módulo LiveSearch de Plone antes de 3.0.4 permite a atacantes remotos inyectar secuencias de comandos web o HTML mediante el campo Description para resultados de búsqueda, como s... • http://dev.plone.org/plone/ticket/7439 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 7EXPL: 0CVE-2008-1394
https://notcve.org/view.php?id=CVE-2008-1394
20 Mar 2008 — Plone CMS before 3 places a base64 encoded form of the username and password in the __ac cookie for all user accounts, which makes it easier for remote attackers to obtain access by sniffing the network. Plone CMS versiones anteriores a 3 pone en formato codificado base64 el nombre de usuario y la contraseña de todos los usuarios en la cookie __ac, facilitando a atacantes remotos obtener acceso mediante la escucha del tráfico de red. • http://plone.org/about/security/overview/security-overview-of-plone • CWE-255: Credentials Management Errors •
CVSS: 7.5EPSS: 11%CPEs: 3EXPL: 1CVE-2006-1711 – Plone 2.x - MembershipTool Access Control Bypass
https://notcve.org/view.php?id=CVE-2006-1711
11 Apr 2006 — Plone 2.0.5, 2.1.2, and 2.5-beta1 does not restrict access to the (1) changeMemberPortrait, (2) deletePersonalPortrait, and (3) testCurrentPassword methods, which allows remote attackers to modify portraits. • https://www.exploit-db.com/exploits/27630 •