thomasdesvenain

8 exploits Active since Sep 2014
CVE-2012-5485 WRITEUP WRITEUP
Plone <4.2.3 & <4.3 - Beta 1 - RCE
registerConfiglet.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via unspecified vectors, related to the admin interface.
CVE-2012-5489 WRITEUP WRITEUP
Zope <2.12.21, <3.13.x - Privilege Escalation
The App.Undo.UndoSupport.get_request_var_or_attr function in Zope before 2.12.21 and 3.13.x before 2.13.11, as used in Plone before 4.2.3 and 4.3 before beta 1, allows remote authenticated users to gain access to restricted attributes via unspecified vectors.
CVE-2012-5490 WRITEUP WRITEUP
Plone <4.2.3, 4.3 -beta 1 - XSS
Cross-site scripting (XSS) vulnerability in kssdevel.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2012-5495 WRITEUP WRITEUP
Plone <4.2.3, <4.3 - Beta 1 - RCE
python_scripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via a crafted URL, related to "go_back."
CVE-2012-5496 WRITEUP WRITEUP
Kupu <4.0 - DoS
kupu_spellcheck.py in Kupu in Plone before 4.0 allows remote attackers to cause a denial of service (ZServer thread lock) via a crafted URL.
CVE-2012-5497 WRITEUP WRITEUP
Plone <4.2.3, <4.3 - Info Disclosure
membership_tool.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to enumerate user account names via a crafted URL.
CVE-2012-5500 WRITEUP WRITEUP
Plone <4.2.3, <4.3 - Beta 1 - CSRF
The batch id change script (renameObjectsByPaths.py) in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to change the titles of content items by leveraging a valid CSRF token in a crafted request.
CVE-2012-5501 WRITEUP WRITEUP
Plone <4.2.3, <4.3 - Info Disclosure
at_download.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to read arbitrary BLOBs (Files and Images) stored on custom content types via a crafted URL.