CVSS: 7.5EPSS: 0%CPEs: 7EXPL: 0CVE-2015-7318
https://notcve.org/view.php?id=CVE-2015-7318
Plone 3.3.0 through 3.3.6 allows remote attackers to inject headers into HTTP responses. Plone desde la versión 3.3.0 hasta la versión 3.3.6 permite que los atacantes remotos inyecten cabeceras en respuestas HTTP. • http://www.openwall.com/lists/oss-security/2015/09/22/16 https://bugzilla.redhat.com/show_bug.cgi?id=1264796 https://plone.org/security/hotfix/20150910 https://plone.org/security/hotfix/20150910/header-injection • CWE-20: Improper Input Validation •
CVSS: 5.9EPSS: 0%CPEs: 40EXPL: 0CVE-2015-7315
https://notcve.org/view.php?id=CVE-2015-7315
Plone 3.3.0 through 3.3.6, 4.0.0 through 4.0.10, 4.1.0 through 4.1.6, 4.2.0 through 4.2.7, 4.3.0 through 4.3.6, and 5.0rc1 allows remote attackers to add a new member to a Plone site with registration enabled, without acknowledgment of site administrator. Plone desde la versión 3.3.0 hasta la 3.3.6, desde la 4.0.0 hasta la 4.0.10, desde la 4.1.0 hasta la 4.1.6, desde la 4.2.0 hasta la 4.2.7, desde la 4.3.0 hasta la 4.3.6 y la 5.0rc1 permite que los atacantes remotos añadan un nuevo miembro a un sitio Plone con el registro activado, sin el conocimiento del administrador del sitio. • http://www.openwall.com/lists/oss-security/2015/09/22/13 https://bugzilla.redhat.com/show_bug.cgi?id=1264791 https://github.com/zopefoundation/Products.CMFCore/commit/e1d981bfa14b664317285f0f36498f4be4a23406 https://plone.org/security/hotfix/20150910/anonymous-is-able-to-create-plone-members • CWE-284: Improper Access Control •
CVSS: 5.3EPSS: 0%CPEs: 51EXPL: 0CVE-2016-4042
https://notcve.org/view.php?id=CVE-2016-4042
Plone 3.3 through 5.1a1 allows remote attackers to obtain information about the ID of sensitive content via unspecified vectors. Plone 3.3 hasta la versión 5.1a1 permite a atacantes remotos obtener información sobre la ID de contenido sensible a través de vectores no especificados. • http://www.openwall.com/lists/oss-security/2016/04/20/2 https://plone.org/security/hotfix/20160419/unauthorized-disclosure-of-site-content • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.1EPSS: 0%CPEs: 57EXPL: 0CVE-2016-7147 – Plone 5.0.5 Cross Site Scripting
https://notcve.org/view.php?id=CVE-2016-7147
Cross-site scripting (XSS) vulnerability in the manage_findResult component in the search feature in Zope ZMI in Plone before 4.3.12 and 5.x before 5.0.7 allows remote attackers to inject arbitrary web script or HTML via vectors involving double quotes, as demonstrated by the obj_ids:tokens parameter. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-7140. Vulnerabilidad de XSS en el componente manage_findResult en la funcionalidad de búsqueda de Zope ZMI en Plone en versiones anteriores a 4.3.12 y 5.x en versiones anteriores a 5.0.7 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de vectores que implican comillas dobles. Como se demuestra por el parámetro obj_ids: tokens. NOTA: esta vulnerabilidad existe debido a una corrección incompleta para CVE-2016-7140. • http://www.securityfocus.com/bid/96117 https://plone.org/security/hotfix/20170117 https://plone.org/security/hotfix/20170117/non-persistent-xss-in-zope2 https://www.curesec.com/blog/article/blog/Plone-XSS-186.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 56EXPL: 1CVE-2016-7137 – Plone CMS 4.3.11 / 5.0.6 XSS / Traversal / Open Redirection
https://notcve.org/view.php?id=CVE-2016-7137
Multiple open redirect vulnerabilities in Plone CMS 5.x through 5.0.6, 4.x through 4.3.11, and 3.3.x through 3.3.6 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the referer parameter to (1) %2b%2bgroupdashboard%2b%2bplone.dashboard1%2bgroup/%2b/portlets.Actions or (2) folder/%2b%2bcontextportlets%2b%2bplone.footerportlets/%2b /portlets.Actions or the (3) came_from parameter to /login_form. Múltiples vulnerabilidades de redirección abierta en Plone CMS 5.x hasta la versión 5.0.6, 4.x hasta la versión 4.3.11 y 3.3.x hasta la versión 3.3.6 permiten a atacantes remotos redirigir usuarios a sitios web arbitrarios y llevar a cabo ataques de phishing a través de URL en el parámetro referer a (1) %2b%2bgroupdashboard%2b%2bplone.dashboard1%2bgroup/%2b/portlets.Actions o (2) folder/%2b%2bcontextportlets%2b%2bplone.footerportlets/%2b /portlets.Actions o el parámetro (3) came_from a /login_form. Plone CMS versions 4.3.11 and below and versions 5.0.6 and below suffer from cross site scripting, open redirection, and path traversal vulnerabilities. • http://packetstormsecurity.com/files/139110/Plone-CMS-4.3.11-5.0.6-XSS-Traversal-Open-Redirection.html http://seclists.org/fulldisclosure/2016/Oct/80 http://www.openwall.com/lists/oss-security/2016/09/05/4 http://www.openwall.com/lists/oss-security/2016/09/05/5 http://www.securityfocus.com/archive/1/539572/100/0/threaded http://www.securityfocus.com/bid/92752 https://plone.org/security/hotfix/20160830/open-redirection-in-plone • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •