PT-2014-2316 · Zope+1 · Zope+1
Tres Seaver
·
Published
2014-09-30
·
Updated
2018-07-23
·
CVE-2012-5489
CVSS v4.0
7.1
High
| Vector | AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
Zope versions prior to 2.12.21
Zope versions 2.13.x prior to 2.13.11
Plone versions prior to 4.2.3
Plone version 4.3 before beta 1
Description
The issue allows remote authenticated users to gain access to restricted attributes via unspecified vectors. This is due to a problem in the
get request var or attr function of App.Undo.UndoSupport in Zope, which is also used in Plone.Recommendations
For Zope versions prior to 2.12.21, update to version 2.12.21 or later.
For Zope versions 2.13.x prior to 2.13.11, update to version 2.13.11 or later.
For Plone versions prior to 4.2.3, update to version 4.2.3 or later.
For Plone version 4.3 before beta 1, update to beta 1 or later.
Fix
Incorrect Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Plone
Zope