CVSS: 6.5EPSS: 0%CPEs: 109EXPL: 0CVE-2012-5489
https://notcve.org/view.php?id=CVE-2012-5489
30 Sep 2014 — The App.Undo.UndoSupport.get_request_var_or_attr function in Zope before 2.12.21 and 3.13.x before 2.13.11, as used in Plone before 4.2.3 and 4.3 before beta 1, allows remote authenticated users to gain access to restricted attributes via unspecified vectors. La función App.Undo.UndoSupport.get_request_var_or_attr en Zope anterior a 2.12.21 y 3.13.x anterior a 2.13.11, utilizado en Plone anterior a 4.2.3 y 4.3 anterior a beta 1, permite a usuarios remotos autenticados ganar el acceso a atributos restringido... • http://www.openwall.com/lists/oss-security/2012/11/10/1 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 6.8EPSS: 1%CPEs: 72EXPL: 0CVE-2012-5485 – (Plone): Restricted Python injection
https://notcve.org/view.php?id=CVE-2012-5485
16 Sep 2014 — registerConfiglet.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via unspecified vectors, related to the admin interface. registerConfiglet.py en Plone anterior a 4.2.3 y 4.3 anterior a beta 1 permite a atacantes remotos ejecutar código Python a través de vectores no especificados, relacionado con la interfaz de administración. It was discovered that Plone, included as a part of luci, did not properly protect the administrator interface (control panel). A remot... • http://rhn.redhat.com/errata/RHSA-2014-1194.html • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-306: Missing Authentication for Critical Function •
CVSS: 6.5EPSS: 1%CPEs: 99EXPL: 0CVE-2012-5486 – (Plone): Reflexive HTTP header injection
https://notcve.org/view.php?id=CVE-2012-5486
16 Sep 2014 — ZPublisher.HTTPRequest._scrubHeader in Zope 2 before 2.13.19, as used in Plone before 4.3 beta 1, allows remote attackers to inject arbitrary HTTP headers via a linefeed (LF) character. ZPublisher.HTTPRequest._scrubHeader en Zope 2 anterior a 2.13.19, utilizado en Plone anterior a 4.3 beta 1, permite a atacantes remotos inyectar cabeceras HTTP arbitrarias a través de un caracter 'linefeed' (LF). It was discovered that Plone, included as a part of luci, did not properly sanitize HTTP headers provided within ... • http://rhn.redhat.com/errata/RHSA-2014-1194.html • CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') •
CVSS: 5.3EPSS: 1%CPEs: 72EXPL: 0CVE-2012-5488 – (Plone): Restricted Python injection
https://notcve.org/view.php?id=CVE-2012-5488
16 Sep 2014 — python_scripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via a crafted URL, related to createObject. python_scripts.py en Plone anterior a 4.2.3 y 4.3 anterior a beta 1 permite a atacantes remotos ejecutar código Python a través de una URL manipulada, relacionado con createObject. It was discovered that Plone, included as a part of luci, did not properly protect the privilege of running RestrictedPython scripts. A remote attacker could use a specially craf... • http://rhn.redhat.com/errata/RHSA-2014-1194.html • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') •
CVSS: 5.3EPSS: 0%CPEs: 72EXPL: 0CVE-2012-5497 – (Plone): Anonymous users can list user account names
https://notcve.org/view.php?id=CVE-2012-5497
16 Sep 2014 — membership_tool.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to enumerate user account names via a crafted URL. membership_tool.py en Plone anterior a 4.2.3 y 4.3 anterior a beta 1 permite a atacantes remotos enumerar los nombres de las cuentas de usuarios a través de una URL manipulada. It was discovered that Plone, included as a part of luci, did not properly enforce permissions checks on the membership database. A remote attacker could use a specially crafted URL that, when proc... • http://rhn.redhat.com/errata/RHSA-2014-1194.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.3EPSS: 1%CPEs: 72EXPL: 0CVE-2012-5498 – (Plone): Partial denial of service through Collections functionality
https://notcve.org/view.php?id=CVE-2012-5498
16 Sep 2014 — queryCatalog.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to bypass caching and cause a denial of service via a crafted request to a collection. queryCatalog.py en Plone anterior a 4.2.3 y 4.3 anterior a beta 1 permite a atacantes remotos evadir el chacheo y causar una denegación de servicio a través de una solicitud manipulada en una colección. It was discovered that Plone, included as a part of luci, did not properly handle the processing of requests for certain collections. A re... • http://rhn.redhat.com/errata/RHSA-2014-1194.html • CWE-264: Permissions, Privileges, and Access Controls CWE-400: Uncontrolled Resource Consumption •
CVSS: 5.3EPSS: 1%CPEs: 72EXPL: 0CVE-2012-5499 – (Plone): Partial denial of service through internal function
https://notcve.org/view.php?id=CVE-2012-5499
16 Sep 2014 — python_scripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to cause a denial of service (memory consumption) via a large value, related to formatColumns. python_scripts.py en Plone anterior a 4.2.3 y 4.3 anterior a beta 1 permite a atacantes remotos causar una denegación de servicio (consumo de memoria) a través de un valor grande, relacionado con formatColumns. It was discovered that Plone, included as a part of luci, did not properly handle the processing of very large values pa... • http://rhn.redhat.com/errata/RHSA-2014-1194.html • CWE-399: Resource Management Errors CWE-400: Uncontrolled Resource Consumption •
CVSS: 4.3EPSS: 0%CPEs: 64EXPL: 0CVE-2012-5500 – (Plone): Anonymous users can batch change titles of content items
https://notcve.org/view.php?id=CVE-2012-5500
16 Sep 2014 — The batch id change script (renameObjectsByPaths.py) in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to change the titles of content items by leveraging a valid CSRF token in a crafted request. La secuencias de comandos de cambio de id de batch (renameObjectsByPaths.py) en Plone anterior a 4.2.3 y 4.3 anterior a beta 1 permite a atacantes remotos cambiar los títulos de elementos del contenido mediante el aprovechamiento de un token CSRF válido en una solicitud manipulada. It was discover... • http://rhn.redhat.com/errata/RHSA-2014-1194.html • CWE-284: Improper Access Control CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.5EPSS: 0%CPEs: 33EXPL: 0CVE-2013-7061
https://notcve.org/view.php?id=CVE-2013-7061
02 May 2014 — Products/CMFPlone/CatalogTool.py in Plone 3.3 through 4.3.2 allows remote administrators to bypass restrictions and obtain sensitive information via an unspecified search API. Products/CMFPlone/CatalogTool.py en Plone 3.3 hasta 4.3.2 permite a administradores remotos evadir restricciones y obtener información sensible a través de una API de búsqueda no especificada. • http://www.openwall.com/lists/oss-security/2013/12/10/15 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 5.3EPSS: 0%CPEs: 33EXPL: 0CVE-2013-7060
https://notcve.org/view.php?id=CVE-2013-7060
02 May 2014 — Products/CMFPlone/FactoryTool.py in Plone 3.3 through 4.3.2 allows remote attackers to obtain the installation path via vectors related to a file object for unspecified documentation which is initialized in class scope. Products/CMFPlone/FactoryTool.py en Plone 3.3 hasta 4.3.2 permite a atacantes remotos obtener la ruta de instalación a través de vectores relacionados con un objeto de archivo para documentación no especificada que es inicializada en el ámbito de clase. • http://www.openwall.com/lists/oss-security/2013/12/10/15 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •