CVSS: 4.3EPSS: 0%CPEs: 99EXPL: 0CVE-2012-5507
https://notcve.org/view.php?id=CVE-2012-5507
30 Sep 2014 — AccessControl/AuthEncoding.py in Zope before 2.13.19, as used in Plone before 4.2.3 and 4.3 before beta 1, allows remote attackers to obtain passwords via vectors involving timing discrepancies in password validation. AccessControl/AuthEncoding.py en Zope anterior a 2.13.19, utilizado en Plone anterior a 4.2.3 y 4.3 anterior a beta 1, permite a atacantes remotos obtener contraseñas a través de vectores que involucran discrepancias de tiempos en la validación de contraseñas. • http://www.openwall.com/lists/oss-security/2012/11/10/1 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVSS: 6.8EPSS: 0%CPEs: 72EXPL: 0CVE-2012-5485 – (Plone): Restricted Python injection
https://notcve.org/view.php?id=CVE-2012-5485
16 Sep 2014 — registerConfiglet.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via unspecified vectors, related to the admin interface. registerConfiglet.py en Plone anterior a 4.2.3 y 4.3 anterior a beta 1 permite a atacantes remotos ejecutar código Python a través de vectores no especificados, relacionado con la interfaz de administración. It was discovered that Plone, included as a part of luci, did not properly protect the administrator interface (control panel). A remot... • http://rhn.redhat.com/errata/RHSA-2014-1194.html • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-306: Missing Authentication for Critical Function •
CVSS: 6.5EPSS: 0%CPEs: 99EXPL: 0CVE-2012-5486 – (Plone): Reflexive HTTP header injection
https://notcve.org/view.php?id=CVE-2012-5486
16 Sep 2014 — ZPublisher.HTTPRequest._scrubHeader in Zope 2 before 2.13.19, as used in Plone before 4.3 beta 1, allows remote attackers to inject arbitrary HTTP headers via a linefeed (LF) character. ZPublisher.HTTPRequest._scrubHeader en Zope 2 anterior a 2.13.19, utilizado en Plone anterior a 4.3 beta 1, permite a atacantes remotos inyectar cabeceras HTTP arbitrarias a través de un caracter 'linefeed' (LF). It was discovered that Plone, included as a part of luci, did not properly sanitize HTTP headers provided within ... • http://rhn.redhat.com/errata/RHSA-2014-1194.html • CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') •
CVSS: 5.3EPSS: 0%CPEs: 72EXPL: 0CVE-2012-5488 – (Plone): Restricted Python injection
https://notcve.org/view.php?id=CVE-2012-5488
16 Sep 2014 — python_scripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via a crafted URL, related to createObject. python_scripts.py en Plone anterior a 4.2.3 y 4.3 anterior a beta 1 permite a atacantes remotos ejecutar código Python a través de una URL manipulada, relacionado con createObject. It was discovered that Plone, included as a part of luci, did not properly protect the privilege of running RestrictedPython scripts. A remote attacker could use a specially craf... • http://rhn.redhat.com/errata/RHSA-2014-1194.html • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') •
CVSS: 5.3EPSS: 0%CPEs: 72EXPL: 0CVE-2012-5497 – (Plone): Anonymous users can list user account names
https://notcve.org/view.php?id=CVE-2012-5497
16 Sep 2014 — membership_tool.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to enumerate user account names via a crafted URL. membership_tool.py en Plone anterior a 4.2.3 y 4.3 anterior a beta 1 permite a atacantes remotos enumerar los nombres de las cuentas de usuarios a través de una URL manipulada. It was discovered that Plone, included as a part of luci, did not properly enforce permissions checks on the membership database. A remote attacker could use a specially crafted URL that, when proc... • http://rhn.redhat.com/errata/RHSA-2014-1194.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.3EPSS: 1%CPEs: 72EXPL: 0CVE-2012-5498 – (Plone): Partial denial of service through Collections functionality
https://notcve.org/view.php?id=CVE-2012-5498
16 Sep 2014 — queryCatalog.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to bypass caching and cause a denial of service via a crafted request to a collection. queryCatalog.py en Plone anterior a 4.2.3 y 4.3 anterior a beta 1 permite a atacantes remotos evadir el chacheo y causar una denegación de servicio a través de una solicitud manipulada en una colección. It was discovered that Plone, included as a part of luci, did not properly handle the processing of requests for certain collections. A re... • http://rhn.redhat.com/errata/RHSA-2014-1194.html • CWE-264: Permissions, Privileges, and Access Controls CWE-400: Uncontrolled Resource Consumption •
CVSS: 5.3EPSS: 0%CPEs: 72EXPL: 0CVE-2012-5499 – (Plone): Partial denial of service through internal function
https://notcve.org/view.php?id=CVE-2012-5499
16 Sep 2014 — python_scripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to cause a denial of service (memory consumption) via a large value, related to formatColumns. python_scripts.py en Plone anterior a 4.2.3 y 4.3 anterior a beta 1 permite a atacantes remotos causar una denegación de servicio (consumo de memoria) a través de un valor grande, relacionado con formatColumns. It was discovered that Plone, included as a part of luci, did not properly handle the processing of very large values pa... • http://rhn.redhat.com/errata/RHSA-2014-1194.html • CWE-399: Resource Management Errors CWE-400: Uncontrolled Resource Consumption •
CVSS: 4.3EPSS: 0%CPEs: 64EXPL: 0CVE-2012-5500 – (Plone): Anonymous users can batch change titles of content items
https://notcve.org/view.php?id=CVE-2012-5500
16 Sep 2014 — The batch id change script (renameObjectsByPaths.py) in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to change the titles of content items by leveraging a valid CSRF token in a crafted request. La secuencias de comandos de cambio de id de batch (renameObjectsByPaths.py) en Plone anterior a 4.2.3 y 4.3 anterior a beta 1 permite a atacantes remotos cambiar los títulos de elementos del contenido mediante el aprovechamiento de un token CSRF válido en una solicitud manipulada. It was discover... • http://rhn.redhat.com/errata/RHSA-2014-1194.html • CWE-284: Improper Access Control CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.3EPSS: 0%CPEs: 33EXPL: 0CVE-2013-7060
https://notcve.org/view.php?id=CVE-2013-7060
02 May 2014 — Products/CMFPlone/FactoryTool.py in Plone 3.3 through 4.3.2 allows remote attackers to obtain the installation path via vectors related to a file object for unspecified documentation which is initialized in class scope. Products/CMFPlone/FactoryTool.py en Plone 3.3 hasta 4.3.2 permite a atacantes remotos obtener la ruta de instalación a través de vectores relacionados con un objeto de archivo para documentación no especificada que es inicializada en el ámbito de clase. • http://www.openwall.com/lists/oss-security/2013/12/10/15 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.5EPSS: 0%CPEs: 33EXPL: 0CVE-2013-7061
https://notcve.org/view.php?id=CVE-2013-7061
02 May 2014 — Products/CMFPlone/CatalogTool.py in Plone 3.3 through 4.3.2 allows remote administrators to bypass restrictions and obtain sensitive information via an unspecified search API. Products/CMFPlone/CatalogTool.py en Plone 3.3 hasta 4.3.2 permite a administradores remotos evadir restricciones y obtener información sensible a través de una API de búsqueda no especificada. • http://www.openwall.com/lists/oss-security/2013/12/10/15 • CWE-264: Permissions, Privileges, and Access Controls •