Skip to main content

Plone CVE-2012-5500

MEDIUM
Cross-Site Request Forgery (CSRF) (CWE-352)
2014-11-03 secalert@redhat.com
4.3
CVSS 2.0 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:M/Au:N/C:N/I:P/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

AV:N/AC:M/Au:N/C:N/I:P/A:N
Attack Vector
Network
Attack Complexity
M
Confidentiality
None
Integrity
P
Availability
None

Lifecycle Timeline

1
CVE Published
Nov 03, 2014 - 22:55 cve.org
MEDIUM 4.3

DescriptionCVE.org

The batch id change script (renameObjectsByPaths.py) in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to change the titles of content items by leveraging a valid CSRF token in a crafted request.

AnalysisAI

The batch id change script (renameObjectsByPaths.py) in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to change the titles of content items by leveraging a valid CSRF token in a. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.

Technical ContextAI

This vulnerability is classified as Cross-Site Request Forgery (CSRF) (CWE-352), which allows attackers to trick authenticated users into performing unintended actions. The batch id change script (renameObjectsByPaths.py) in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to change the titles of content items by leveraging a valid CSRF token in a crafted request. Affected products include: Plone. Version information: before 4.2.3.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Implement anti-CSRF tokens, validate Origin/Referer headers, use SameSite cookie attribute.

More in Plone

View all
CVE-2015-7293 HIGH POC
8.8 Sep 25

Multiple cross-site request forgery (CSRF) vulnerabilities in Zope Management Interface 4.3.7 and earlier, and Plone bef

CVE-2021-32633 HIGH POC
8.8 May 21

Zope is an open-source web application server. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitabl

CVE-2024-23756 HIGH POC
7.5 Feb 08

The HTTP PUT and DELETE methods are enabled in the Plone official Docker version 5.2.13 (5221), allowing unauthenticated

CVE-2013-4200 MEDIUM POC
5.8 Jan 21

The isURLInPortal method in the URLTool class in in_portal.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x t

CVE-2016-7136 MEDIUM POC
6.1 Mar 07

z3c.form in Plone CMS 5.x through 5.0.6 and 4.x through 4.3.11 allows remote attackers to conduct cross-site scripting (

CVE-2016-7140 MEDIUM POC
6.1 Mar 07

Multiple cross-site scripting (XSS) vulnerabilities in the ZMI page in Zope2 in Plone CMS 5.x through 5.0.6, 4.x through

CVE-2016-7139 MEDIUM POC
6.1 Mar 07

Cross-site scripting (XSS) vulnerability in an unspecified page template in Plone CMS 5.x through 5.0.6, 4.x through 4.3

CVE-2016-7138 MEDIUM POC
6.1 Mar 07

Cross-site scripting (XSS) vulnerability in the URL checking infrastructure in Plone CMS 5.x through 5.0.6, 4.x through

CVE-2016-7137 MEDIUM POC
6.1 Mar 07

Multiple open redirect vulnerabilities in Plone CMS 5.x through 5.0.6, 4.x through 4.3.11, and 3.3.x through 3.3.6 allow

CVE-2021-33509 CRITICAL
9.9 May 21

Plone through 5.2.4 allows remote authenticated managers to perform disk I/O via crafted keyword arguments to the ReStru

CVE-2020-35190 CRITICAL
9.8 Dec 17

The official plone Docker images before version of 4.3.18-alpine (Alpine specific) contain a blank password for a root u

CVE-2020-7941 CRITICAL
9.8 Jan 23

A privilege escalation issue in plone.app.contenttypes in Plone 4.3 through 5.2.1 allows users to PUT (overwrite) some c

Share

CVE-2012-5500 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy