CVSS: 5.0EPSS: 0%CPEs: 72EXPL: 0CVE-2012-5495
https://notcve.org/view.php?id=CVE-2012-5495
python_scripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via a crafted URL, related to "go_back." python_scripts.py en Plone anterior a 4.2.3 y 4.3 anterior a beta 1 permite a atacantes remotos ejecutar código Python a través de una URL manipulada, relacionado con 'go_back.' • http://www.openwall.com/lists/oss-security/2012/11/10/1 https://github.com/plone/Products.CMFPlone/blob/4.2.3/docs/CHANGES.txt https://plone.org/products/plone-hotfix/releases/20121106 https://plone.org/products/plone/security/advisories/20121106/11 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 5.0EPSS: 0%CPEs: 72EXPL: 0CVE-2012-5503
https://notcve.org/view.php?id=CVE-2012-5503
ftp.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to read hidden folder contents via unspecified vectors. ftp.py en Plone anterior a 4.2.3 y 4.3 anterior a beta 1 permite a atacantes remotos leer el contenido de carpetas escondidas a través de vectores no especificados. • http://www.openwall.com/lists/oss-security/2012/11/10/1 https://github.com/plone/Products.CMFPlone/blob/4.2.3/docs/CHANGES.txt https://plone.org/products/plone-hotfix/releases/20121106 https://plone.org/products/plone/security/advisories/20121106/19 •
CVSS: 8.5EPSS: 0%CPEs: 72EXPL: 0CVE-2012-5487
https://notcve.org/view.php?id=CVE-2012-5487
The sandbox whitelisting function (allowmodule.py) in Plone before 4.2.3 and 4.3 before beta 1 allows remote authenticated users with certain privileges to bypass the Python sandbox restriction and execute arbitrary Python code via vectors related to importing. La función sandbox whitelisting (allowmodule.py) en Plone anterior a 4.2.3 y 4.3 anterior a beta 1 permite a usuarios remotos autenticados con ciertos privilegios evadir la restricción sandbox de Python y ejecutar código Python arbitrario a través de vectores relacionados con la importación. • http://www.openwall.com/lists/oss-security/2012/11/10/1 https://github.com/plone/Products.CMFPlone/blob/4.2.3/docs/CHANGES.txt https://plone.org/products/plone-hotfix/releases/20121106 https://plone.org/products/plone/security/advisories/20121106/03 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 4.3EPSS: 0%CPEs: 72EXPL: 0CVE-2012-5494
https://notcve.org/view.php?id=CVE-2012-5494
Cross-site scripting (XSS) vulnerability in python_scripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, related to "{u,}translate." Vulnerabilidad de XSS en python_scripts.py en Plone anterior a 4.2.3 y 4.3 anterior a beta 1 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de vectores no especificados, relacionado con '{u,}translate.' • http://www.openwall.com/lists/oss-security/2012/11/10/1 https://github.com/plone/Products.CMFPlone/blob/4.2.3/docs/CHANGES.txt https://plone.org/products/plone-hotfix/releases/20121106 https://plone.org/products/plone/security/advisories/20121106/10 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 99EXPL: 0CVE-2012-5507
https://notcve.org/view.php?id=CVE-2012-5507
AccessControl/AuthEncoding.py in Zope before 2.13.19, as used in Plone before 4.2.3 and 4.3 before beta 1, allows remote attackers to obtain passwords via vectors involving timing discrepancies in password validation. AccessControl/AuthEncoding.py en Zope anterior a 2.13.19, utilizado en Plone anterior a 4.2.3 y 4.3 anterior a beta 1, permite a atacantes remotos obtener contraseñas a través de vectores que involucran discrepancias de tiempos en la validación de contraseñas. • http://www.openwall.com/lists/oss-security/2012/11/10/1 https://bugs.launchpad.net/zope2/+bug/1071067 https://github.com/plone/Products.CMFPlone/blob/4.2.3/docs/CHANGES.txt https://plone.org/products/plone-hotfix/releases/20121106 https://plone.org/products/plone/security/advisories/20121106/23 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •