PT-2014-2756 · Plone Foundation · Plone
Jan Lieskovsky
·
Publicado
2014-03-11
·
Atualizado
2022-05-17
·
CVE-2013-4193
CVSS v4.0
8.2
Alta
| Vetor | AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
Plone versions 2.1 through 4.1
Plone versions 4.2.x through 4.2.5
Plone versions 4.3.x through 4.3.1
Description
The issue is related to the improper enforcement of the immutable setting on unspecified content edit forms in the typeswidget.py file. This allows remote attackers to hide fields on the forms via a crafted URL.
Recommendations
For Plone versions 2.1 through 4.1, update to a version that properly enforces the immutable setting.
For Plone versions 4.2.x through 4.2.5, update to a version that properly enforces the immutable setting.
For Plone versions 4.3.x through 4.3.1, update to a version that properly enforces the immutable setting.
As a temporary workaround, consider restricting access to the typeswidget.py file until a patch is available.
Correção
Improper Access Control
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Identificadores relacionados
Produtos afetados
Plone