CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2020-7941
https://notcve.org/view.php?id=CVE-2020-7941
A privilege escalation issue in plone.app.contenttypes in Plone 4.3 through 5.2.1 allows users to PUT (overwrite) some content without needing write permission. Un problema de escalada de privilegios en plone.app.contenttypes en Plone versiones 4.3 hasta 5.2.1, permite a usuarios COLOCAR (sobrescribir) parte del contenido sin necesario un permiso de escritura. • http://www.openwall.com/lists/oss-security/2020/01/24/1 https://plone.org/security/hotfix/20200121 https://plone.org/security/hotfix/20200121/privilege-escalation-for-overwriting-content https://www.openwall.com/lists/oss-security/2020/01/22/1 •
CVSS: 4.9EPSS: 0%CPEs: 9EXPL: 0CVE-2016-4043
https://notcve.org/view.php?id=CVE-2016-4043
Chameleon (five.pt) in Plone 5.0rc1 through 5.1a1 allows remote authenticated users to bypass Restricted Python by leveraging permissions to create or edit templates. Chameleon (five.pt) en Plone 5.0rc1 hasta la versión 5.1a1 permite a usuarios remotos autenticados eludir Restricted Python aprovechando permisos para crear y editar plantillas. • http://www.openwall.com/lists/oss-security/2016/04/20/3 https://plone.org/security/hotfix/20160419/bypass-restricted-python • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 4.9EPSS: 0%CPEs: 32EXPL: 1CVE-2016-7135 – Plone CMS 4.3.11 / 5.0.6 XSS / Traversal / Open Redirection
https://notcve.org/view.php?id=CVE-2016-7135
Directory traversal vulnerability in Plone CMS 5.x through 5.0.6 and 4.2.x through 4.3.11 allows remote administrators to read arbitrary files via a .. (dot dot) in the path parameter in a getFile action to Plone/++theme++barceloneta/@@plone.resourceeditor.filemanager-actions. Vulnerabilidad de salto de directorio en Plone CMS 5.x hasta la versión 5.0.6 y 4.2.x hasta la versión 4.3.11 permite a administradores remotos leer archivos arbitrarios a travçes de .. (punto punto) en el parámetro path en una acción getFile a Plone/++theme++barceloneta/@@plone.resourceeditor.filemanager-actions. Plone CMS versions 4.3.11 and below and versions 5.0.6 and below suffer from cross site scripting, open redirection, and path traversal vulnerabilities. • http://packetstormsecurity.com/files/139110/Plone-CMS-4.3.11-5.0.6-XSS-Traversal-Open-Redirection.html http://seclists.org/fulldisclosure/2016/Oct/80 http://www.openwall.com/lists/oss-security/2016/09/05/4 http://www.openwall.com/lists/oss-security/2016/09/05/5 http://www.securityfocus.com/archive/1/539572/100/0/threaded http://www.securityfocus.com/bid/92752 https://plone.org/security/hotfix/20160830/filesystem-information-leak • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.1EPSS: 0%CPEs: 49EXPL: 1CVE-2016-7136 – Plone CMS 4.3.11 / 5.0.6 XSS / Traversal / Open Redirection
https://notcve.org/view.php?id=CVE-2016-7136
z3c.form in Plone CMS 5.x through 5.0.6 and 4.x through 4.3.11 allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted GET request. z3c.form en Plone CMS 5.x hasta la versión 5.0.6 y 4.x hasta la versión 4.3.11 permite a atacantes remotos llevar a cabo ataques de XSS a través de una petición GET manipulada. Plone CMS versions 4.3.11 and below and versions 5.0.6 and below suffer from cross site scripting, open redirection, and path traversal vulnerabilities. • http://packetstormsecurity.com/files/139110/Plone-CMS-4.3.11-5.0.6-XSS-Traversal-Open-Redirection.html http://seclists.org/fulldisclosure/2016/Oct/80 http://www.openwall.com/lists/oss-security/2016/09/05/4 http://www.openwall.com/lists/oss-security/2016/09/05/5 http://www.securityfocus.com/archive/1/539572/100/0/threaded http://www.securityfocus.com/bid/92752 https://plone.org/security/hotfix/20160830/non-persistent-xss-in-plone-forms • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 56EXPL: 1CVE-2016-7137 – Plone CMS 4.3.11 / 5.0.6 XSS / Traversal / Open Redirection
https://notcve.org/view.php?id=CVE-2016-7137
Multiple open redirect vulnerabilities in Plone CMS 5.x through 5.0.6, 4.x through 4.3.11, and 3.3.x through 3.3.6 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the referer parameter to (1) %2b%2bgroupdashboard%2b%2bplone.dashboard1%2bgroup/%2b/portlets.Actions or (2) folder/%2b%2bcontextportlets%2b%2bplone.footerportlets/%2b /portlets.Actions or the (3) came_from parameter to /login_form. Múltiples vulnerabilidades de redirección abierta en Plone CMS 5.x hasta la versión 5.0.6, 4.x hasta la versión 4.3.11 y 3.3.x hasta la versión 3.3.6 permiten a atacantes remotos redirigir usuarios a sitios web arbitrarios y llevar a cabo ataques de phishing a través de URL en el parámetro referer a (1) %2b%2bgroupdashboard%2b%2bplone.dashboard1%2bgroup/%2b/portlets.Actions o (2) folder/%2b%2bcontextportlets%2b%2bplone.footerportlets/%2b /portlets.Actions o el parámetro (3) came_from a /login_form. Plone CMS versions 4.3.11 and below and versions 5.0.6 and below suffer from cross site scripting, open redirection, and path traversal vulnerabilities. • http://packetstormsecurity.com/files/139110/Plone-CMS-4.3.11-5.0.6-XSS-Traversal-Open-Redirection.html http://seclists.org/fulldisclosure/2016/Oct/80 http://www.openwall.com/lists/oss-security/2016/09/05/4 http://www.openwall.com/lists/oss-security/2016/09/05/5 http://www.securityfocus.com/archive/1/539572/100/0/threaded http://www.securityfocus.com/bid/92752 https://plone.org/security/hotfix/20160830/open-redirection-in-plone • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •