Описание
Plone and Zope2 vulnerable to unauthorized access to restricted attributes
The App.Undo.UndoSupport.get_request_var_or_attr function in Zope before 2.12.21 and 3.13.x before 2.13.11, as used in Plone before 4.2.3 and 4.3 before beta 1, allows remote authenticated users to gain access to restricted attributes via unspecified vectors.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2012-5489
- https://bugs.launchpad.net/zope2/+bug/1079238
- https://github.com/advisories/GHSA-879r-7f3w-8jj3
- https://github.com/plone/Products.CMFPlone/blob/4.2.3/docs/CHANGES.txt
- https://github.com/pypa/advisory-database/tree/main/vulns/plone/PYSEC-2014-31.yaml
- https://github.com/pypa/advisory-database/tree/main/vulns/zope2/PYSEC-2014-74.yaml
- https://plone.org/products/plone-hotfix/releases/20121106
- https://plone.org/products/plone/security/advisories/20121106/05
- http://www.openwall.com/lists/oss-security/2012/11/10/1
Пакеты
Zope2
< 2.12.21
2.12.21
Zope2
>= 2.13.0, < 2.13.11
2.13.11
Plone
>= 3.2.2, < 4.2.3
4.2.3
Plone
>= 4.3a1, <= 4.3a2
4.3b1
Связанные уязвимости
The App.Undo.UndoSupport.get_request_var_or_attr function in Zope before 2.12.21 and 3.13.x before 2.13.11, as used in Plone before 4.2.3 and 4.3 before beta 1, allows remote authenticated users to gain access to restricted attributes via unspecified vectors.
The App.Undo.UndoSupport.get_request_var_or_attr function in Zope before 2.12.21 and 3.13.x before 2.13.11, as used in Plone before 4.2.3 and 4.3 before beta 1, allows remote authenticated users to gain access to restricted attributes via unspecified vectors.
The App.Undo.UndoSupport.get_request_var_or_attr function in Zope befo ...