Richard Mitchell

Researcher fromPlone security team
#7120of 53,635
38.3Total CVSS
Vulnerabilities · 5
Medium
2
High
3
PT-2014-2317
5.3
2014-09-30
Plone Foundation · Plone · CVE-2012-5490
**Name of the Vulnerable Software and Affected Versions** Plone versions prior to 4.2.3 Plone versions 4.3 prior to beta 1 **Description** A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. This could potentially affect a large number of devices worldwide, although the exact number is not specified. **Recommendations** For Plone versions prior to 4.2.3, update to version 4.2.3 or later to resolve the issue. For Plone versions 4.3 prior to beta 1, update to beta 1 or later to resolve the issue. As a temporary workaround, consider restricting access to the `kssdevel.py` module to minimize the risk of exploitation.
PT-2014-2319
6.9
2014-09-30
Plone Foundation · Plone · CVE-2012-5492
**Name of the Vulnerable Software and Affected Versions** Plone versions prior to 4.2.3 Plone version 4.3 before beta 1 **Description** The issue allows remote attackers to obtain metadata about hidden objects via a crafted URL. This is possible due to a flaw in the `uid catalog.py` component. **Recommendations** For Plone versions prior to 4.2.3, update to version 4.2.3 or later. For Plone version 4.3 before beta 1, update to beta 1 or later. As a temporary workaround, consider restricting access to the `uid catalog.py` component until a patch is available.
PT-2014-2323
8.7
2014-09-30
Plone · Kupu · CVE-2012-5496
**Name of the Vulnerable Software and Affected Versions** Kupu in Plone versions prior to 4.0 **Description** The issue allows remote attackers to cause a denial of service, specifically a ZServer thread lock, by using a crafted URL. **Recommendations** For versions prior to 4.0, update to version 4.0 or later to resolve the issue.
PT-2014-2325
8.7
2014-09-16
Plone · Plone · CVE-2012-5498
**Name of the Vulnerable Software and Affected Versions** Plone versions prior to 4.2.3 Plone version 4.3 before beta 1 **Description** The issue allows remote attackers to bypass caching and cause a denial of service via a crafted request to a collection. This is related to the queryCatalog.py script. **Recommendations** For Plone versions prior to 4.2.3, update to version 4.2.3 or later. For Plone version 4.3 before beta 1, update to beta 1 or later.
PT-2014-2326
8.7
2014-09-16
Plone · Plone · CVE-2012-5499
**Name of the Vulnerable Software and Affected Versions** Plone versions prior to 4.2.3 Plone versions 4.3 before beta 1 **Description** The issue allows remote attackers to cause a denial of service, specifically memory consumption, via a large value. This is related to the `formatColumns` function. **Recommendations** For Plone versions prior to 4.2.3, update to version 4.2.3 or later. For Plone versions 4.3 before beta 1, update to beta 1 or later. As a temporary workaround, consider restricting access to the `formatColumns` function until a patch is available.