CVSS: 4.3EPSS: 0%CPEs: 49EXPL: 0CVE-2017-5524
https://notcve.org/view.php?id=CVE-2017-5524
Plone 4.x through 4.3.11 and 5.x through 5.0.6 allow remote attackers to bypass a sandbox protection mechanism and obtain sensitive information by leveraging the Python string format method. Plone 4.x en veriones hasta 4.3.11 y 5.x en versiones hasta 5.0.6 permiten atacantes remotos evitar un mecanismo de protección sandbox y obtener información sensible aprovechando el método de formato de cadenas Python. • http://www.openwall.com/lists/oss-security/2017/01/18/6 http://www.securityfocus.com/bid/95679 https://plone.org/security/hotfix/20170117/sandbox-escape • CWE-134: Use of Externally-Controlled Format String •
CVSS: 4.9EPSS: 0%CPEs: 9EXPL: 0CVE-2016-4043
https://notcve.org/view.php?id=CVE-2016-4043
Chameleon (five.pt) in Plone 5.0rc1 through 5.1a1 allows remote authenticated users to bypass Restricted Python by leveraging permissions to create or edit templates. Chameleon (five.pt) en Plone 5.0rc1 hasta la versión 5.1a1 permite a usuarios remotos autenticados eludir Restricted Python aprovechando permisos para crear y editar plantillas. • http://www.openwall.com/lists/oss-security/2016/04/20/3 https://plone.org/security/hotfix/20160419/bypass-restricted-python • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 6.1EPSS: 0%CPEs: 57EXPL: 0CVE-2016-7147 – Plone 5.0.5 Cross Site Scripting
https://notcve.org/view.php?id=CVE-2016-7147
Cross-site scripting (XSS) vulnerability in the manage_findResult component in the search feature in Zope ZMI in Plone before 4.3.12 and 5.x before 5.0.7 allows remote attackers to inject arbitrary web script or HTML via vectors involving double quotes, as demonstrated by the obj_ids:tokens parameter. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-7140. Vulnerabilidad de XSS en el componente manage_findResult en la funcionalidad de búsqueda de Zope ZMI en Plone en versiones anteriores a 4.3.12 y 5.x en versiones anteriores a 5.0.7 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de vectores que implican comillas dobles. Como se demuestra por el parámetro obj_ids: tokens. NOTA: esta vulnerabilidad existe debido a una corrección incompleta para CVE-2016-7140. • http://www.securityfocus.com/bid/96117 https://plone.org/security/hotfix/20170117 https://plone.org/security/hotfix/20170117/non-persistent-xss-in-zope2 https://www.curesec.com/blog/article/blog/Plone-XSS-186.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.9EPSS: 0%CPEs: 32EXPL: 1CVE-2016-7135 – Plone CMS 4.3.11 / 5.0.6 XSS / Traversal / Open Redirection
https://notcve.org/view.php?id=CVE-2016-7135
Directory traversal vulnerability in Plone CMS 5.x through 5.0.6 and 4.2.x through 4.3.11 allows remote administrators to read arbitrary files via a .. (dot dot) in the path parameter in a getFile action to Plone/++theme++barceloneta/@@plone.resourceeditor.filemanager-actions. Vulnerabilidad de salto de directorio en Plone CMS 5.x hasta la versión 5.0.6 y 4.2.x hasta la versión 4.3.11 permite a administradores remotos leer archivos arbitrarios a travçes de .. (punto punto) en el parámetro path en una acción getFile a Plone/++theme++barceloneta/@@plone.resourceeditor.filemanager-actions. Plone CMS versions 4.3.11 and below and versions 5.0.6 and below suffer from cross site scripting, open redirection, and path traversal vulnerabilities. • http://packetstormsecurity.com/files/139110/Plone-CMS-4.3.11-5.0.6-XSS-Traversal-Open-Redirection.html http://seclists.org/fulldisclosure/2016/Oct/80 http://www.openwall.com/lists/oss-security/2016/09/05/4 http://www.openwall.com/lists/oss-security/2016/09/05/5 http://www.securityfocus.com/archive/1/539572/100/0/threaded http://www.securityfocus.com/bid/92752 https://plone.org/security/hotfix/20160830/filesystem-information-leak • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.1EPSS: 0%CPEs: 49EXPL: 1CVE-2016-7136 – Plone CMS 4.3.11 / 5.0.6 XSS / Traversal / Open Redirection
https://notcve.org/view.php?id=CVE-2016-7136
z3c.form in Plone CMS 5.x through 5.0.6 and 4.x through 4.3.11 allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted GET request. z3c.form en Plone CMS 5.x hasta la versión 5.0.6 y 4.x hasta la versión 4.3.11 permite a atacantes remotos llevar a cabo ataques de XSS a través de una petición GET manipulada. Plone CMS versions 4.3.11 and below and versions 5.0.6 and below suffer from cross site scripting, open redirection, and path traversal vulnerabilities. • http://packetstormsecurity.com/files/139110/Plone-CMS-4.3.11-5.0.6-XSS-Traversal-Open-Redirection.html http://seclists.org/fulldisclosure/2016/Oct/80 http://www.openwall.com/lists/oss-security/2016/09/05/4 http://www.openwall.com/lists/oss-security/2016/09/05/5 http://www.securityfocus.com/archive/1/539572/100/0/threaded http://www.securityfocus.com/bid/92752 https://plone.org/security/hotfix/20160830/non-persistent-xss-in-plone-forms • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •