Vulnerabilities > Plone

DATE CVE VULNERABILITY TITLE RISK
2014-03-11 CVE-2013-4191 Permissions, Privileges, and Access Controls vulnerability in Plone
zip.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 does not properly enforce access restrictions when including content in a zip archive, which allows remote attackers to obtain sensitive information by reading a generated archive.
network
plone CWE-264
5.8
2014-03-11 CVE-2013-4190 Cross-Site Scripting vulnerability in Plone
Multiple cross-site scripting (XSS) vulnerabilities in (1) spamProtect.py, (2) pts.py, and (3) request.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
network
plone CWE-79
4.3
2014-03-11 CVE-2013-4189 Security Bypass vulnerability in Plone
Multiple unspecified vulnerabilities in (1) dataitems.py, (2) get.py, and (3) traverseName.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 allow remote authenticated users with administrator access to a subtree to access nodes above the subtree via unknown vectors.
network
low complexity
plone
6.5
2014-03-11 CVE-2013-4188 Resource Management Errors vulnerability in Plone
traverser.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 allows remote attackers with administrator privileges to cause a denial of service (infinite loop and resource consumption) via unspecified vectors related to "retrieving information for certain resources."
network
plone CWE-399
4.3
2011-12-30 CVE-2011-4462 Improper Input Validation vulnerability in Plone
Plone 4.1.3 and earlier computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters.
network
low complexity
plone CWE-20
5.0
2011-10-10 CVE-2011-4030 Permissions, Privileges, and Access Controls vulnerability in Plone Cmfeditions and Plone
The CMFEditions component 2.x in Plone 4.0.x through 4.0.9, 4.1, and 4.2 through 4.2a2 does not prevent the KwAsAttributes classes from being publishable, which allows remote attackers to access sub-objects via unspecified vectors, a different vulnerability than CVE-2011-3587.
network
plone CWE-264
critical
9.3
2011-10-10 CVE-2011-3587 Unspecified vulnerability in Zope 2.12.x and 2.13.x, as used in Plone 4.0.x through 4.0.9, 4.1, and 4.2 through 4.2a2, allows remote attackers to execute arbitrary commands via vectors related to the p_ class in OFS/misc_.py and the use of Python modules.
network
plone zope
critical
9.3
2011-08-05 CVE-2011-1340 Cross-Site Scripting vulnerability in Plone
Cross-site scripting (XSS) vulnerability in skins/plone_templates/default_error_message.pt in Plone before 2.5.3 allows remote attackers to inject arbitrary web script or HTML via the type_name parameter to Members/ipa/createObject.
network
plone CWE-79
4.3
2011-07-19 CVE-2011-2528 Remote Security vulnerability in Zope
Unspecified vulnerability in (1) Zope 2.12.x before 2.12.19 and 2.13.x before 2.13.8, as used in Plone 4.x and other products, and (2) PloneHotfix20110720 for Plone 3.x allows attackers to gain privileges via unspecified vectors, related to a "highly serious vulnerability." NOTE: this vulnerability exists because of an incorrect fix for CVE-2011-0720.
network
low complexity
plone zope
7.5
2011-06-06 CVE-2011-1950 Permissions, Privileges, and Access Controls vulnerability in Plone 4.0/4.1
plone.app.users in Plone 4.0 and 4.1 allows remote authenticated users to modify the properties of arbitrary accounts via unspecified vectors, as exploited in the wild in June 2011.
network
low complexity
plone CWE-264
5.5