Total
105 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2013-7060 | 1 Plone | 1 Plone | 2025-04-12 | 5.0 MEDIUM | N/A |
| Products/CMFPlone/FactoryTool.py in Plone 3.3 through 4.3.2 allows remote attackers to obtain the installation path via vectors related to a file object for unspecified documentation which is initialized in class scope. | |||||
| CVE-2013-4190 | 1 Plone | 1 Plone | 2025-04-12 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in (1) spamProtect.py, (2) pts.py, and (3) request.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2012-5486 | 2 Plone, Zope | 2 Plone, Zope | 2025-04-12 | 6.4 MEDIUM | N/A |
| ZPublisher.HTTPRequest._scrubHeader in Zope 2 before 2.13.19, as used in Plone before 4.3 beta 1, allows remote attackers to inject arbitrary HTTP headers via a linefeed (LF) character. | |||||
| CVE-2012-5506 | 1 Plone | 1 Plone | 2025-04-12 | 5.0 MEDIUM | N/A |
| python_scripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to cause a denial of service (infinite loop) via an RSS feed request for a folder the user does not have permission to access. | |||||
| CVE-2013-4191 | 1 Plone | 1 Plone | 2025-04-12 | 5.8 MEDIUM | N/A |
| zip.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 does not properly enforce access restrictions when including content in a zip archive, which allows remote attackers to obtain sensitive information by reading a generated archive. | |||||
| CVE-2012-5508 | 1 Plone | 1 Plone | 2025-04-12 | 5.0 MEDIUM | N/A |
| The error pages in Plone before 4.2.3 and 4.3 before beta 1 allow remote attackers to obtain random numbers and derive the PRNG state for password resets via unspecified vectors. NOTE: this identifier was SPLIT per ADT2 due to different vulnerability types. CVE-2012-6661 was assigned for the PRNG reseeding issue in Zope. | |||||
| CVE-2013-4194 | 1 Plone | 1 Plone | 2025-04-12 | 4.3 MEDIUM | N/A |
| The WYSIWYG component (wysiwyg.py) in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 allows remote attackers to obtain sensitive information via a crafted URL, which reveals the installation path in an error message. | |||||
| CVE-2012-5503 | 1 Plone | 1 Plone | 2025-04-12 | 5.0 MEDIUM | N/A |
| ftp.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to read hidden folder contents via unspecified vectors. | |||||
| CVE-2012-5489 | 2 Plone, Zope | 2 Plone, Zope | 2025-04-12 | 6.5 MEDIUM | N/A |
| The App.Undo.UndoSupport.get_request_var_or_attr function in Zope before 2.12.21 and 3.13.x before 2.13.11, as used in Plone before 4.2.3 and 4.3 before beta 1, allows remote authenticated users to gain access to restricted attributes via unspecified vectors. | |||||
| CVE-2013-4192 | 1 Plone | 1 Plone | 2025-04-12 | 4.0 MEDIUM | N/A |
| sendto.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 allows remote authenticated users to spoof emails via unspecified vectors. | |||||
| CVE-2012-5499 | 1 Plone | 1 Plone | 2025-04-12 | 5.0 MEDIUM | N/A |
| python_scripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to cause a denial of service (memory consumption) via a large value, related to formatColumns. | |||||
| CVE-2012-5494 | 1 Plone | 1 Plone | 2025-04-12 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in python_scripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, related to "{u,}translate." | |||||
| CVE-2013-4195 | 1 Plone | 1 Plone | 2025-04-12 | 5.8 MEDIUM | N/A |
| Multiple open redirect vulnerabilities in (1) marmoset_patch.py, (2) publish.py, and (3) principiaredirect.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors. | |||||
| CVE-2012-5490 | 1 Plone | 1 Plone | 2025-04-12 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in kssdevel.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2013-4189 | 1 Plone | 1 Plone | 2025-04-12 | 6.5 MEDIUM | N/A |
| Multiple unspecified vulnerabilities in (1) dataitems.py, (2) get.py, and (3) traverseName.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 allow remote authenticated users with administrator access to a subtree to access nodes above the subtree via unknown vectors. | |||||
| CVE-2012-5507 | 2 Plone, Zope | 2 Plone, Zope | 2025-04-12 | 4.3 MEDIUM | N/A |
| AccessControl/AuthEncoding.py in Zope before 2.13.19, as used in Plone before 4.2.3 and 4.3 before beta 1, allows remote attackers to obtain passwords via vectors involving timing discrepancies in password validation. | |||||
| CVE-2012-5505 | 1 Plone | 1 Plone | 2025-04-12 | 5.0 MEDIUM | N/A |
| atat.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to read private data structures via a request for a view without a name. | |||||
| CVE-2010-2422 | 1 Plone | 1 Plone | 2025-04-11 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in PortalTransforms in Plone 2.1 through 3.3.4 before hotfix 20100612 allows remote attackers to inject arbitrary web script or HTML via the safe_html transform. | |||||
| CVE-2013-4200 | 1 Plone | 1 Plone | 2025-04-11 | 5.8 MEDIUM | N/A |
| The isURLInPortal method in the URLTool class in in_portal.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 treats URLs starting with a space as a relative URL, which allows remote attackers to bypass the allow_external_login_sites filtering property, redirect users to arbitrary web sites, and conduct phishing attacks via a space before a URL in the "next" parameter to acl_users/credentials_cookie_auth/require_login. | |||||
| CVE-2011-1950 | 1 Plone | 1 Plone | 2025-04-11 | 5.5 MEDIUM | N/A |
| plone.app.users in Plone 4.0 and 4.1 allows remote authenticated users to modify the properties of arbitrary accounts via unspecified vectors, as exploited in the wild in June 2011. | |||||