CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Plone » Plone » 4.3 : Security Vulnerabilities

Cpe Name:cpe:/a:plone:plone:4.3
Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2017-5524 264 Bypass +Info 2017-03-23 2017-03-29
4.0
None Remote Low Single system Partial None None
Plone 4.x through 4.3.11 and 5.x through 5.0.6 allow remote attackers to bypass a sandbox protection mechanism and obtain sensitive information by leveraging the Python string format method.
2 CVE-2016-7147 79 XSS 2017-02-04 2017-02-09
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the manage_findResult component in the search feature in Zope ZMI in Plone before 4.3.12 and 5.x before 5.0.7 allows remote attackers to inject arbitrary web script or HTML via vectors involving double quotes, as demonstrated by the obj_ids:tokens parameter. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-7140.
3 CVE-2016-7140 79 XSS 2017-03-07 2017-03-08
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in the ZMI page in Zope2 in Plone CMS 5.x through 5.0.6, 4.x through 4.3.11, and 3.3.x through 3.3.6 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
4 CVE-2016-7139 79 XSS 2017-03-07 2017-03-08
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in an unspecified page template in Plone CMS 5.x through 5.0.6, 4.x through 4.3.11, and 3.3.x through 3.3.6 allows remote attackers to inject arbitrary web script or HTML via unknown vectors.
5 CVE-2016-7138 79 XSS 2017-03-07 2017-03-08
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the URL checking infrastructure in Plone CMS 5.x through 5.0.6, 4.x through 4.3.11, and 3.3.x through 3.3.6 allows remote attackers to inject arbitrary web script or HTML via a crafted URL.
6 CVE-2016-7137 601 2017-03-07 2017-03-08
5.8
None Remote Medium Not required Partial Partial None
Multiple open redirect vulnerabilities in Plone CMS 5.x through 5.0.6, 4.x through 4.3.11, and 3.3.x through 3.3.6 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the referer parameter to (1) %2b%2bgroupdashboard%2b%2bplone.dashboard1%2bgroup/%2b/portlets.Actions or (2) folder/%2b%2bcontextportlets%2b%2bplone.footerportlets/%2b /portlets.Actions or the (3) came_from parameter to /login_form.
7 CVE-2016-7136 79 XSS 2017-03-07 2017-03-08
4.3
None Remote Medium Not required None Partial None
z3c.form in Plone CMS 5.x through 5.0.6 and 4.x through 4.3.11 allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted GET request.
8 CVE-2016-7135 22 Dir. Trav. 2017-03-07 2017-03-08
4.0
None Remote Low Single system Partial None None
Directory traversal vulnerability in Plone CMS 5.x through 5.0.6 and 4.2.x through 4.3.11 allows remote administrators to read arbitrary files via a .. (dot dot) in the path parameter in a getFile action to Plone/++theme++barceloneta/@@plone.resourceeditor.filemanager-actions.
9 CVE-2016-4042 200 +Info 2017-02-24 2017-02-27
5.0
None Remote Low Not required Partial None None
Plone 3.3 through 5.1a1 allows remote attackers to obtain information about the ID of sensitive content via unspecified vectors.
10 CVE-2016-4041 264 2017-02-24 2017-02-27
7.5
None Remote Low Not required Partial Partial Partial
Plone 4.0 through 5.1a1 does not have security declarations for Dexterity content-related WebDAV requests, which allows remote attackers to gain webdav access via unspecified vectors.
11 CVE-2015-7316 79 XSS 2017-09-25 2017-10-03
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in Plone 3.3.0 through 3.3.6, 4.0.0 through 4.0.10, 4.1.0 through 4.1.6, 4.2.0 through 4.2.7, 4.3.x before 4.3.7, and 5.0rc1.
12 CVE-2015-7315 284 2017-09-25 2017-10-03
4.3
None Remote Medium Not required None Partial None
Plone 3.3.0 through 3.3.6, 4.0.0 through 4.0.10, 4.1.0 through 4.1.6, 4.2.0 through 4.2.7, 4.3.0 through 4.3.6, and 5.0rc1 allows remote attackers to add a new member to a Plone site with registration enabled, without acknowledgment of site administrator.
13 CVE-2015-7293 352 CSRF 2017-09-25 2017-10-06
6.8
None Remote Medium Not required Partial Partial Partial
Multiple cross-site request forgery (CSRF) vulnerabilities in Zope Management Interface 4.3.7 and earlier, and Plone before 5.x.
14 CVE-2013-7061 264 Bypass +Info 2014-05-02 2014-06-30
5.5
None Remote Low Single system Partial Partial None
Products/CMFPlone/CatalogTool.py in Plone 3.3 through 4.3.2 allows remote administrators to bypass restrictions and obtain sensitive information via an unspecified search API.
15 CVE-2013-7060 200 +Info 2014-05-02 2014-06-30
5.0
None Remote Low Not required Partial None None
Products/CMFPlone/FactoryTool.py in Plone 3.3 through 4.3.2 allows remote attackers to obtain the installation path via vectors related to a file object for unspecified documentation which is initialized in class scope.
16 CVE-2013-4200 264 Bypass 2014-01-21 2014-01-22
5.8
None Remote Medium Not required Partial Partial None
The isURLInPortal method in the URLTool class in in_portal.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 treats URLs starting with a space as a relative URL, which allows remote attackers to bypass the allow_external_login_sites filtering property, redirect users to arbitrary web sites, and conduct phishing attacks via a space before a URL in the "next" parameter to acl_users/credentials_cookie_auth/require_login.
17 CVE-2013-4199 20 DoS 2014-03-11 2014-03-11
3.5
None Remote Medium Single system None None Partial
(1) cb_decode.py and (2) linkintegrity.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 allow remote authenticated users to cause a denial of service (resource consumption) via a large zip archive, which is expanded (decompressed).
18 CVE-2013-4198 264 Bypass 2014-03-11 2014-03-11
4.0
None Remote Low Single system None Partial None
mail_password.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 allows remote authenticated users to bypass the prohibition on password changes via the forgotten password email functionality.
19 CVE-2013-4197 20 2014-03-11 2014-03-11
5.5
None Remote Low Single system None Partial Partial
member_portrait.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 allows remote authenticated users to modify or delete portraits of other users via unspecified vectors.
20 CVE-2013-4196 264 +Info 2014-03-11 2014-03-11
5.0
None Remote Low Not required Partial None None
The object manager implementation (objectmanager.py) in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 does not properly restrict access to internal methods, which allows remote attackers to obtain sensitive information via a crafted request.
21 CVE-2013-4195 20 2014-03-11 2014-03-11
5.8
None Remote Medium Not required Partial Partial None
Multiple open redirect vulnerabilities in (1) marmoset_patch.py, (2) publish.py, and (3) principiaredirect.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.
22 CVE-2013-4194 200 +Info 2014-03-11 2014-03-11
4.3
None Remote Medium Not required Partial None None
The WYSIWYG component (wysiwyg.py) in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 allows remote attackers to obtain sensitive information via a crafted URL, which reveals the installation path in an error message.
23 CVE-2013-4193 264 2014-03-11 2014-03-11
4.3
None Remote Medium Not required None Partial None
typeswidget.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 does not properly enforce the immutable setting on unspecified content edit forms, which allows remote attackers to hide fields on the forms via a crafted URL.
24 CVE-2013-4192 20 2014-03-11 2014-03-11
4.0
None Remote Low Single system None Partial None
sendto.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 allows remote authenticated users to spoof emails via unspecified vectors.
25 CVE-2013-4191 264 +Info 2014-03-11 2014-03-11
5.8
None Remote Medium Not required Partial Partial None
zip.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 does not properly enforce access restrictions when including content in a zip archive, which allows remote attackers to obtain sensitive information by reading a generated archive.
26 CVE-2013-4190 79 XSS 2014-03-11 2014-03-11
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in (1) spamProtect.py, (2) pts.py, and (3) request.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
27 CVE-2013-4189 2014-03-11 2014-03-11
6.5
None Remote Low Single system Partial Partial Partial
Multiple unspecified vulnerabilities in (1) dataitems.py, (2) get.py, and (3) traverseName.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 allow remote authenticated users with administrator access to a subtree to access nodes above the subtree via unknown vectors.
28 CVE-2013-4188 399 DoS 2014-03-11 2014-03-11
4.3
None Remote Medium Not required None None Partial
traverser.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 allows remote attackers with administrator privileges to cause a denial of service (infinite loop and resource consumption) via unspecified vectors related to "retrieving information for certain resources."
29 CVE-2012-6661 310 2014-11-03 2014-11-04
5.0
None Remote Low Not required Partial None None
Zope before 2.13.19, as used in Plone before 4.2.3 and 4.3 before beta 1, does not reseed the pseudo-random number generator (PRNG), which makes it easier for remote attackers to guess the value via unspecified vectors. NOTE: this issue was SPLIT from CVE-2012-5508 due to different vulnerability types (ADT2).
30 CVE-2012-5508 200 +Info 2014-11-03 2014-11-04
5.0
None Remote Low Not required Partial None None
The error pages in Plone before 4.2.3 and 4.3 before beta 1 allow remote attackers to obtain random numbers and derive the PRNG state for password resets via unspecified vectors. NOTE: this identifier was SPLIT per ADT2 due to different vulnerability types. CVE-2012-6661 was assigned for the PRNG reseeding issue in Zope.
31 CVE-2012-5507 362 2014-09-30 2014-10-02
4.3
None Remote Medium Not required Partial None None
AccessControl/AuthEncoding.py in Zope before 2.13.19, as used in Plone before 4.2.3 and 4.3 before beta 1, allows remote attackers to obtain passwords via vectors involving timing discrepancies in password validation.
32 CVE-2012-5506 399 DoS 2014-09-30 2014-10-02
5.0
None Remote Low Not required None None Partial
python_scripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to cause a denial of service (infinite loop) via an RSS feed request for a folder the user does not have permission to access.
33 CVE-2012-5505 200 +Info 2014-09-30 2014-10-02
5.0
None Remote Low Not required Partial None None
atat.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to read private data structures via a request for a view without a name.
34 CVE-2012-5504 79 XSS 2014-09-30 2014-10-01
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in widget_traversal.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
35 CVE-2012-5503 2014-09-30 2014-10-01
5.0
None Remote Low Not required Partial None None
ftp.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to read hidden folder contents via unspecified vectors.
36 CVE-2012-5502 79 XSS 2014-09-30 2014-10-01
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in safe_html.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote authenticated users with permissions to edit content to inject arbitrary web script or HTML via unspecified vectors.
37 CVE-2012-5501 264 2014-09-30 2014-10-01
5.0
None Remote Low Not required Partial None None
at_download.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to read arbitrary BLOBs (Files and Images) stored on custom content types via a crafted URL.
38 CVE-2012-5500 352 CSRF 2014-11-03 2014-11-04
4.3
None Remote Medium Not required None Partial None
The batch id change script (renameObjectsByPaths.py) in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to change the titles of content items by leveraging a valid CSRF token in a crafted request.
39 CVE-2012-5499 399 DoS 2014-09-30 2014-10-10
5.0
None Remote Low Not required None None Partial
python_scripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to cause a denial of service (memory consumption) via a large value, related to formatColumns.
40 CVE-2012-5498 264 DoS Bypass 2014-09-30 2015-11-17
5.0
None Remote Low Not required None None Partial
queryCatalog.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to bypass caching and cause a denial of service via a crafted request to a collection.
41 CVE-2012-5497 200 +Info 2014-09-30 2014-10-10
5.0
None Remote Low Not required Partial None None
membership_tool.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to enumerate user account names via a crafted URL.
42 CVE-2012-5495 94 Exec Code 2014-09-30 2014-10-02
5.0
None Remote Low Not required None None Partial
python_scripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via a crafted URL, related to "go_back."
43 CVE-2012-5494 79 XSS 2014-09-30 2014-10-01
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in python_scripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, related to "{u,}translate."
44 CVE-2012-5493 94 Exec Code Bypass 2014-09-30 2014-10-01
8.5
None Remote Medium Single system Complete Complete Complete
gtbn.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote authenticated users with certain permissions to bypass the Python sandbox and execute arbitrary Python code via unspecified vectors.
45 CVE-2012-5492 200 +Info 2014-09-30 2014-10-01
5.0
None Remote Low Not required Partial None None
uid_catalog.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to obtain metadata about hidden objects via a crafted URL.
46 CVE-2012-5491 200 +Info 2014-09-30 2014-10-01
4.3
None Remote Medium Not required Partial None None
z3c.form, as used in Plone before 4.2.3 and 4.3 before beta 1, allows remote attackers to obtain the default form field values by leveraging knowledge of the form location and the element id.
47 CVE-2012-5490 79 XSS 2014-09-30 2014-10-01
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in kssdevel.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
48 CVE-2012-5489 264 2014-09-30 2014-10-02
6.5
None Remote Low Single system Partial Partial Partial
The App.Undo.UndoSupport.get_request_var_or_attr function in Zope before 2.12.21 and 3.13.x before 2.13.11, as used in Plone before 4.2.3 and 4.3 before beta 1, allows remote authenticated users to gain access to restricted attributes via unspecified vectors.
49 CVE-2012-5488 94 Exec Code 2014-09-30 2014-10-10
5.0
None Remote Low Not required None None Partial
python_scripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via a crafted URL, related to createObject.
50 CVE-2012-5487 264 Exec Code Bypass 2014-09-30 2014-10-01
8.5
None Remote Medium Single system Complete Complete Complete
The sandbox whitelisting function (allowmodule.py) in Plone before 4.2.3 and 4.3 before beta 1 allows remote authenticated users with certain privileges to bypass the Python sandbox restriction and execute arbitrary Python code via vectors related to importing.
Total number of vulnerabilities : 52   Page : 1 (This Page)2
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.