Vulnerabilities > Plone > Plone > 4.2.2

DATE CVE VULNERABILITY TITLE RISK
2018-01-03 CVE-2017-1000481 Open Redirect vulnerability in Plone
When you visit a page where you need to login, Plone 2.5-5.1rc1 sends you to the login form with a 'came_from' parameter set to the previous url.
network
plone CWE-601
5.8
2017-09-25 CVE-2015-7293 Cross-Site Request Forgery (CSRF) vulnerability in multiple products
Multiple cross-site request forgery (CSRF) vulnerabilities in Zope Management Interface 4.3.7 and earlier, and Plone before 5.x.
network
plone zope CWE-352
6.8
2017-09-25 CVE-2015-7317 Permissions, Privileges, and Access Controls vulnerability in multiple products
Kupu 3.3.0 through 3.3.6, 4.0.0 through 4.0.10, 4.1.0 through 4.1.6, and 4.2.0 through 4.2.7 allows remote authenticated users to edit Kupu settings.
4.9
2017-09-25 CVE-2015-7316 Cross-site Scripting vulnerability in Plone
Cross-site scripting (XSS) vulnerability in Plone 3.3.0 through 3.3.6, 4.0.0 through 4.0.10, 4.1.0 through 4.1.6, 4.2.0 through 4.2.7, 4.3.x before 4.3.7, and 5.0rc1.
network
plone CWE-79
4.3
2017-09-25 CVE-2015-7315 Improper Access Control vulnerability in Plone
Plone 3.3.0 through 3.3.6, 4.0.0 through 4.0.10, 4.1.0 through 4.1.6, 4.2.0 through 4.2.7, 4.3.0 through 4.3.6, and 5.0rc1 allows remote attackers to add a new member to a Plone site with registration enabled, without acknowledgment of site administrator.
network
plone CWE-284
4.3
2017-03-23 CVE-2017-5524 Use of Externally-Controlled Format String vulnerability in Plone
Plone 4.x through 4.3.11 and 5.x through 5.0.6 allow remote attackers to bypass a sandbox protection mechanism and obtain sensitive information by leveraging the Python string format method.
network
low complexity
plone CWE-134
4.0
2017-03-07 CVE-2016-7140 Cross-site Scripting vulnerability in Plone
Multiple cross-site scripting (XSS) vulnerabilities in the ZMI page in Zope2 in Plone CMS 5.x through 5.0.6, 4.x through 4.3.11, and 3.3.x through 3.3.6 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
network
plone CWE-79
4.3
2017-03-07 CVE-2016-7139 Cross-site Scripting vulnerability in Plone
Cross-site scripting (XSS) vulnerability in an unspecified page template in Plone CMS 5.x through 5.0.6, 4.x through 4.3.11, and 3.3.x through 3.3.6 allows remote attackers to inject arbitrary web script or HTML via unknown vectors.
network
plone CWE-79
4.3
2017-03-07 CVE-2016-7138 Cross-site Scripting vulnerability in Plone
Cross-site scripting (XSS) vulnerability in the URL checking infrastructure in Plone CMS 5.x through 5.0.6, 4.x through 4.3.11, and 3.3.x through 3.3.6 allows remote attackers to inject arbitrary web script or HTML via a crafted URL.
network
plone CWE-79
4.3
2017-03-07 CVE-2016-7137 Open Redirect vulnerability in Plone
Multiple open redirect vulnerabilities in Plone CMS 5.x through 5.0.6, 4.x through 4.3.11, and 3.3.x through 3.3.6 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the referer parameter to (1) %2b%2bgroupdashboard%2b%2bplone.dashboard1%2bgroup/%2b/portlets.Actions or (2) folder/%2b%2bcontextportlets%2b%2bplone.footerportlets/%2b /portlets.Actions or the (3) came_from parameter to /login_form.
network
plone CWE-601
5.8