PT-2014-2328 · Plone · Plone

Alessandro Sauzher

Published

2014-09-30

Updated

2022-05-17

CVE-2012-5501

CVSS v4.0

8.7

High

Vector

AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions Plone versions 4.2.0 through 4.2.3 Plone versions 4.3.0 through 4.3 beta 1

Description The issue allows remote attackers to read arbitrary BLOBs, including Files and Images, stored on custom content types via a crafted URL. This is possible due to a flaw in the at download.py script.

Recommendations For Plone versions 4.2.0 through 4.2.3, update to version 4.2.3 or later. For Plone versions 4.3.0 through 4.3 beta 1, update to version 4.3 beta 1 or later. As a temporary workaround, consider restricting access to the at download.py script until a patch is available.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-264

Related Identifiers

CVE-2012-5501

GHSA-PVHV-QWC8-R2PG

PYSEC-2014-43

Affected Products

Plone

PT-2014-2328 · Plone · Plone

CVE-2012-5501

Weakness Enumeration

Related Identifiers

Affected Products

References · 10