Filtered by vendor Plone
Subscriptions
Total
114 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2012-5494 | 1 Plone | 1 Plone | 2024-08-06 | N/A |
Cross-site scripting (XSS) vulnerability in python_scripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, related to "{u,}translate." | ||||
CVE-2012-5508 | 1 Plone | 1 Plone | 2024-08-06 | N/A |
The error pages in Plone before 4.2.3 and 4.3 before beta 1 allow remote attackers to obtain random numbers and derive the PRNG state for password resets via unspecified vectors. NOTE: this identifier was SPLIT per ADT2 due to different vulnerability types. CVE-2012-6661 was assigned for the PRNG reseeding issue in Zope. | ||||
CVE-2012-5503 | 1 Plone | 1 Plone | 2024-08-06 | N/A |
ftp.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to read hidden folder contents via unspecified vectors. | ||||
CVE-2012-5496 | 1 Plone | 1 Plone | 2024-08-06 | N/A |
kupu_spellcheck.py in Kupu in Plone before 4.0 allows remote attackers to cause a denial of service (ZServer thread lock) via a crafted URL. | ||||
CVE-2012-5493 | 1 Plone | 1 Plone | 2024-08-06 | N/A |
gtbn.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote authenticated users with certain permissions to bypass the Python sandbox and execute arbitrary Python code via unspecified vectors. | ||||
CVE-2012-5506 | 1 Plone | 1 Plone | 2024-08-06 | N/A |
python_scripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to cause a denial of service (infinite loop) via an RSS feed request for a folder the user does not have permission to access. | ||||
CVE-2012-5487 | 1 Plone | 1 Plone | 2024-08-06 | N/A |
The sandbox whitelisting function (allowmodule.py) in Plone before 4.2.3 and 4.3 before beta 1 allows remote authenticated users with certain privileges to bypass the Python sandbox restriction and execute arbitrary Python code via vectors related to importing. | ||||
CVE-2012-5497 | 2 Plone, Redhat | 2 Plone, Rhel Cluster | 2024-08-06 | N/A |
membership_tool.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to enumerate user account names via a crafted URL. | ||||
CVE-2012-5486 | 3 Plone, Redhat, Zope | 3 Plone, Rhel Cluster, Zope | 2024-08-06 | N/A |
ZPublisher.HTTPRequest._scrubHeader in Zope 2 before 2.13.19, as used in Plone before 4.3 beta 1, allows remote attackers to inject arbitrary HTTP headers via a linefeed (LF) character. | ||||
CVE-2012-5490 | 1 Plone | 1 Plone | 2024-08-06 | N/A |
Cross-site scripting (XSS) vulnerability in kssdevel.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | ||||
CVE-2013-7061 | 1 Plone | 1 Plone | 2024-08-06 | N/A |
Products/CMFPlone/CatalogTool.py in Plone 3.3 through 4.3.2 allows remote administrators to bypass restrictions and obtain sensitive information via an unspecified search API. | ||||
CVE-2013-7060 | 1 Plone | 1 Plone | 2024-08-06 | N/A |
Products/CMFPlone/FactoryTool.py in Plone 3.3 through 4.3.2 allows remote attackers to obtain the installation path via vectors related to a file object for unspecified documentation which is initialized in class scope. | ||||
CVE-2013-7062 | 1 Plone | 1 Plone | 2024-08-06 | 6.1 Medium |
Multiple cross-site scripting (XSS) vulnerabilities in Zope, as used in Plone 3.3.x through 3.3.6, 4.0.x through 4.0.9, 4.1.x through 4.1.6, 4.2.x through 4.2.7, and 4.3 through 4.3.2, allow remote attackers to inject arbitrary web script or HTML via unspecified input in the (1) browser_id_manager or (2) OFS.Image method. | ||||
CVE-2013-4196 | 1 Plone | 1 Plone | 2024-08-06 | N/A |
The object manager implementation (objectmanager.py) in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 does not properly restrict access to internal methods, which allows remote attackers to obtain sensitive information via a crafted request. | ||||
CVE-2013-4192 | 1 Plone | 1 Plone | 2024-08-06 | N/A |
sendto.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 allows remote authenticated users to spoof emails via unspecified vectors. | ||||
CVE-2013-4188 | 1 Plone | 1 Plone | 2024-08-06 | N/A |
traverser.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 allows remote attackers with administrator privileges to cause a denial of service (infinite loop and resource consumption) via unspecified vectors related to "retrieving information for certain resources." | ||||
CVE-2013-4194 | 1 Plone | 1 Plone | 2024-08-06 | N/A |
The WYSIWYG component (wysiwyg.py) in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 allows remote attackers to obtain sensitive information via a crafted URL, which reveals the installation path in an error message. | ||||
CVE-2013-4189 | 1 Plone | 1 Plone | 2024-08-06 | N/A |
Multiple unspecified vulnerabilities in (1) dataitems.py, (2) get.py, and (3) traverseName.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 allow remote authenticated users with administrator access to a subtree to access nodes above the subtree via unknown vectors. | ||||
CVE-2013-4195 | 1 Plone | 1 Plone | 2024-08-06 | N/A |
Multiple open redirect vulnerabilities in (1) marmoset_patch.py, (2) publish.py, and (3) principiaredirect.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors. | ||||
CVE-2013-4198 | 1 Plone | 1 Plone | 2024-08-06 | N/A |
mail_password.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 allows remote authenticated users to bypass the prohibition on password changes via the forgotten password email functionality. |