Cross-site Scripting (XSS)Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the manage_tabs_message in ZMI pages. An attacker can manipulate web content or hijack user sessions.
How to fix Cross-site Scripting (XSS)? Upgrade Zope2 to version 2.12.5 or higher.
| |
Privilege Escalationzope2 is a Zope2 application server / web framework
The App.Undo.UndoSupport.get_request_var_or_attr function in Zope before 2.12.21 and 3.13.x before 2.13.11, as used in Plone before 4.2.3 and 4.3 before beta 1, allows remote authenticated users to gain access to restricted attributes via unspecified vectors.
| |
Arbitrary Code Executionzope2 is a Zope2 application server / web framework
python_scripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via a crafted URL, related to "go_back."
| |
Timing Attackzope2 is a Zope2 application server / web framework
AccessControl/AuthEncoding.py in Zope before 2.13.19, as used in Plone before 4.2.3 and 4.3 before beta 1, allows remote attackers to obtain passwords via vectors involving timing discrepancies in password validation.
| |
Insecure Randomnesszope2 is a Zope2 application server / web framework
Zope before 2.13.19, as used in Plone before 4.2.3 and 4.3 before beta 1, does not reseed the pseudo-random number generator (PRNG), which makes it easier for remote attackers to guess the value via unspecified vectors. NOTE: this issue was SPLIT from CVE-2012-5508 due to different vulnerability types (ADT2).
| |
