HTTP Header Injectionzope2 is a Zope2 application server / web framework
Affected versions of this package are vulnerable to HTTP header Injection attacks due to incorrectly escaping of Carriage Return and Line Feed (CR/LF) characters in HTTP requests.
| |
Cross-site Scripting (XSS)zope2 is a Zope2 application server / web framework
Multiple cross-site scripting (XSS) vulnerabilities in (1) spamProtect.py, (2) pts.py, and (3) request.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
| [2.12,2.12.28)[2.13,2.13.21) |
Open Redirectzope2 is a Zope2 application server / web framework
Multiple open redirect vulnerabilities in (1) marmoset_patch.py, (2) publish.py, and (3) principiaredirect.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.
| |
Information Exposurezope2 is a Zope2 application server / web framework
The object manager implementation (objectmanager.py) in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 does not properly restrict access to internal methods, which allows remote attackers to obtain sensitive information via a crafted request.
| |
Denial of Service (DoS)zope2 is a Zope2 application server / web framework
(1) cb_decode.py and (2) linkintegrity.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 allow remote authenticated users to cause a denial of service (resource consumption) via a large zip archive, which is expanded (decompressed).
| |
