Cross-site Scripting (XSS)zope2 is a Zope2 application server / web framework
Multiple cross-site scripting (XSS) vulnerabilities in (1) spamProtect.py, (2) pts.py, and (3) request.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
| [2.12,2.12.28)[2.13,2.13.21) |
HTTP Header Injectionzope2 is a Zope2 application server / web framework
ZPublisher.HTTPRequest._scrubHeader in Zope 2 before 2.13.19, as used in Plone before 4.3 beta 1, allows remote attackers to inject arbitrary HTTP headers via a linefeed (LF) character.
| |
Cross-site Scripting (XSS)zope2 is a Zope2 application server / web framework
Cross-site Scripting (XSS) vulnerability in python_scripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, related to "{u,}translate."
| |
Arbitrary Code Executionzope2 is a Zope2 application server / web framework
python_scripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via a crafted URL, related to "go_back."
| |
Information Exposurezope2 is a Zope2 application server / web framework
ftp.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to read hidden folder contents via unspecified vectors.
| [2.12,2.12.27)[2.13,2.13.20) |
Cross-site Scripting (XSS)zope2 is a Zope2 application server / web framework
Cross-site Scripting (XSS) vulnerability in widget_traversal.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
| [2.12,2.12.27)[2.13,2.13.20) |
Denial of Service (DoS)zope2 is a Zope2 application server / web framework
python_scripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to cause a denial of service (infinite loop) via an RSS feed request for a folder the user does not have permission to access.
| |
Timing Attackzope2 is a Zope2 application server / web framework
AccessControl/AuthEncoding.py in Zope before 2.13.19, as used in Plone before 4.2.3 and 4.3 before beta 1, allows remote attackers to obtain passwords via vectors involving timing discrepancies in password validation.
| |
Insecure Randomnesszope2 is a Zope2 application server / web framework
Zope before 2.13.19, as used in Plone before 4.2.3 and 4.3 before beta 1, does not reseed the pseudo-random number generator (PRNG), which makes it easier for remote attackers to guess the value via unspecified vectors. NOTE: this issue was SPLIT from CVE-2012-5508 due to different vulnerability types (ADT2).
| |