PT-2014-2756 · Plone Foundation · Plone
Jan Lieskovsky
·
Published
2014-03-11
·
Updated
2022-05-17
·
CVE-2013-4193
CVSS v4.0
8.2
High
| Vector | AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
Plone versions 2.1 through 4.1
Plone versions 4.2.x through 4.2.5
Plone versions 4.3.x through 4.3.1
Description
The issue is related to the improper enforcement of the immutable setting on unspecified content edit forms in the typeswidget.py file. This allows remote attackers to hide fields on the forms via a crafted URL.
Recommendations
For Plone versions 2.1 through 4.1, update to a version that properly enforces the immutable setting.
For Plone versions 4.2.x through 4.2.5, update to a version that properly enforces the immutable setting.
For Plone versions 4.3.x through 4.3.1, update to a version that properly enforces the immutable setting.
As a temporary workaround, consider restricting access to the typeswidget.py file until a patch is available.
Fix
Improper Access Control
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Plone