Vulnerabilities > Plone > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2014-05-02 | CVE-2013-7060 | Information Exposure vulnerability in Plone Products/CMFPlone/FactoryTool.py in Plone 3.3 through 4.3.2 allows remote attackers to obtain the installation path via vectors related to a file object for unspecified documentation which is initialized in class scope. | 5.0 |
| 2014-03-11 | CVE-2013-4198 | Permissions, Privileges, and Access Controls vulnerability in Plone mail_password.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 allows remote authenticated users to bypass the prohibition on password changes via the forgotten password email functionality. | 4.0 |
| 2014-03-11 | CVE-2013-4197 | Improper Input Validation vulnerability in Plone member_portrait.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 allows remote authenticated users to modify or delete portraits of other users via unspecified vectors. | 5.5 |
| 2014-03-11 | CVE-2013-4196 | Permissions, Privileges, and Access Controls vulnerability in Plone The object manager implementation (objectmanager.py) in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 does not properly restrict access to internal methods, which allows remote attackers to obtain sensitive information via a crafted request. | 5.0 |
| 2014-03-11 | CVE-2013-4195 | Improper Input Validation vulnerability in Plone Multiple open redirect vulnerabilities in (1) marmoset_patch.py, (2) publish.py, and (3) principiaredirect.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors. | 5.8 |
| 2014-03-11 | CVE-2013-4194 | Information Exposure vulnerability in Plone The WYSIWYG component (wysiwyg.py) in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 allows remote attackers to obtain sensitive information via a crafted URL, which reveals the installation path in an error message. | 4.3 |
| 2014-03-11 | CVE-2013-4193 | Permissions, Privileges, and Access Controls vulnerability in Plone typeswidget.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 does not properly enforce the immutable setting on unspecified content edit forms, which allows remote attackers to hide fields on the forms via a crafted URL. | 4.3 |
| 2014-03-11 | CVE-2013-4192 | Improper Input Validation vulnerability in Plone sendto.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 allows remote authenticated users to spoof emails via unspecified vectors. | 4.0 |
| 2014-03-11 | CVE-2013-4191 | Permissions, Privileges, and Access Controls vulnerability in Plone zip.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 does not properly enforce access restrictions when including content in a zip archive, which allows remote attackers to obtain sensitive information by reading a generated archive. | 5.8 |
| 2014-03-11 | CVE-2013-4190 | Cross-Site Scripting vulnerability in Plone Multiple cross-site scripting (XSS) vulnerabilities in (1) spamProtect.py, (2) pts.py, and (3) request.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 4.3 |