Vulnerabilities > Plone > Plone > 2.1
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2014-03-11 | CVE-2013-4191 | Permissions, Privileges, and Access Controls vulnerability in Plone zip.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 does not properly enforce access restrictions when including content in a zip archive, which allows remote attackers to obtain sensitive information by reading a generated archive. | 5.8 |
2014-03-11 | CVE-2013-4190 | Cross-Site Scripting vulnerability in Plone Multiple cross-site scripting (XSS) vulnerabilities in (1) spamProtect.py, (2) pts.py, and (3) request.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 4.3 |
2014-03-11 | CVE-2013-4189 | Security Bypass vulnerability in Plone Multiple unspecified vulnerabilities in (1) dataitems.py, (2) get.py, and (3) traverseName.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 allow remote authenticated users with administrator access to a subtree to access nodes above the subtree via unknown vectors. | 6.5 |
2014-03-11 | CVE-2013-4188 | Resource Management Errors vulnerability in Plone traverser.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 allows remote attackers with administrator privileges to cause a denial of service (infinite loop and resource consumption) via unspecified vectors related to "retrieving information for certain resources." | 4.3 |
2011-12-30 | CVE-2011-4462 | Improper Input Validation vulnerability in Plone Plone 4.1.3 and earlier computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters. | 5.0 |
2011-08-05 | CVE-2011-1340 | Cross-Site Scripting vulnerability in Plone Cross-site scripting (XSS) vulnerability in skins/plone_templates/default_error_message.pt in Plone before 2.5.3 allows remote attackers to inject arbitrary web script or HTML via the type_name parameter to Members/ipa/createObject. | 4.3 |
2011-06-06 | CVE-2011-1949 | Cross-Site Scripting vulnerability in Plone Cross-site scripting (XSS) vulnerability in the safe_html filter in Products.PortalTransforms in Plone 2.1 through 4.1 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2010-2422. | 3.5 |
2010-06-24 | CVE-2010-2422 | Cross-Site Scripting vulnerability in Plone Cross-site scripting (XSS) vulnerability in PortalTransforms in Plone 2.1 through 3.3.4 before hotfix 20100612 allows remote attackers to inject arbitrary web script or HTML via the safe_html transform. | 4.3 |
2008-10-15 | CVE-2008-4571 | Cross-Site Scripting vulnerability in Plone Cross-site scripting (XSS) vulnerability in the LiveSearch module in Plone before 3.0.4 allows remote attackers to inject arbitrary web script or HTML via the Description field for search results, as demonstrated using the onerror Javascript even in an IMG tag. | 4.3 |