PT-2014-2761 · Plone Foundation · Plone
Publicado
2014-03-11
·
Atualizado
2022-05-17
·
CVE-2013-4198
CVSS v4.0
5.3
Média
| Vetor | AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
Plone versions 2.1 through 4.1
Plone versions 4.2.x through 4.2.5
Plone versions 4.3.x through 4.3.1
Description
The issue allows remote authenticated users to bypass the prohibition on password changes via the forgotten password email functionality. This is related to the
mail password.py script.Recommendations
For Plone versions 2.1 through 4.1, update to a version that contains a fix for this issue.
For Plone versions 4.2.x through 4.2.5, update to a version that contains a fix for this issue.
For Plone versions 4.3.x through 4.3.1, update to a version that contains a fix for this issue.
As a temporary workaround, consider restricting access to the forgotten password email functionality until a patch is available.
Correção
Incorrect Authorization
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Identificadores relacionados
Produtos afetados
Plone