David Glick

**Name of the Vulnerable Software and Affected Versions** Plone versions prior to 4.2.3 Plone versions 4.3 prior to beta 1 **Description** The issue allows remote attackers to obtain random numbers and derive the PRNG state for password resets. This could potentially be used to gain unauthorized access. **Recommendations** For Plone versions prior to 4.2.3, update to version 4.2.3 or later. For Plone versions 4.3 prior to beta 1, update to beta 1 or later.

**Name of the Vulnerable Software and Affected Versions** Plone versions prior to 4.2.3 Plone versions 4.3 prior to beta 1 **Description** The issue allows remote attackers to obtain the default form field values by leveraging knowledge of the form location and the element id. This is possible due to the way `z3c.form` is used in Plone. **Recommendations** For Plone versions prior to 4.2.3, update to version 4.2.3 or later. For Plone versions 4.3 prior to beta 1, update to beta 1 or later.

**Name of the Vulnerable Software and Affected Versions** Zope versions prior to 2.13.19 Plone versions prior to 4.3 beta 1 **Description** The issue allows remote attackers to inject arbitrary HTTP headers via a linefeed (LF) character in the ZPublisher.HTTPRequest. scrubHeader function. **Recommendations** For Zope versions prior to 2.13.19, update to version 2.13.19 or later. For Plone versions prior to 4.3 beta 1, update to version 4.3 beta 1 or later.