SB2014012102 - Multiple vulnerabilities in Plone
Published: January 21, 2014 Updated: August 19, 2020
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 13 secuirty vulnerabilities.
1) Resource management error (CVE-ID: CVE-2013-4188)
The vulnerability allows a remote non-authenticated attacker to perform service disruption.
traverser.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 allows remote attackers with administrator privileges to cause a denial of service (infinite loop and resource consumption) via unspecified vectors related to "retrieving information for certain resources."
2) Input validation error (CVE-ID: CVE-2013-4189)
The vulnerability allows a remote #AU# to read and manipulate data.
Multiple unspecified vulnerabilities in (1) dataitems.py, (2) get.py, and (3) traverseName.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 allow remote authenticated users with administrator access to a subtree to access nodes above the subtree via unknown vectors.
3) Cross-site scripting (CVE-ID: CVE-2013-4190)
Vulnerability allows a remote attacker to perform Cross-site scripting attacks.
An input validation error exists in (1) spamProtect.py, (2) pts.py, and (3) request.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 when processing unspecified vectors. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in victim's browser in security context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
4) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2013-4191)
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
zip.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 does not properly enforce access restrictions when including content in a zip archive, which allows remote attackers to obtain sensitive information by reading a generated archive.
5) Input validation error (CVE-ID: CVE-2013-4192)
The vulnerability allows a remote #AU# to manipulate data.
sendto.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 allows remote authenticated users to spoof emails via unspecified vectors.
6) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2013-4193)
The vulnerability allows a remote non-authenticated attacker to manipulate data.
typeswidget.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 does not properly enforce the immutable setting on unspecified content edit forms, which allows remote attackers to hide fields on the forms via a crafted URL.
7) Information disclosure (CVE-ID: CVE-2013-4194)
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
The WYSIWYG component (wysiwyg.py) in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 allows remote attackers to obtain sensitive information via a crafted URL, which reveals the installation path in an error message.
8) Input validation error (CVE-ID: CVE-2013-4195)
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
Multiple open redirect vulnerabilities in (1) marmoset_patch.py, (2) publish.py, and (3) principiaredirect.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.
9) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2013-4196)
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
The object manager implementation (objectmanager.py) in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 does not properly restrict access to internal methods, which allows remote attackers to obtain sensitive information via a crafted request.
10) Input validation error (CVE-ID: CVE-2013-4197)
The vulnerability allows a remote #AU# to manipulate or delete data.
member_portrait.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 allows remote authenticated users to modify or delete portraits of other users via unspecified vectors.
11) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2013-4198)
The vulnerability allows a remote #AU# to manipulate data.
mail_password.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 allows remote authenticated users to bypass the prohibition on password changes via the forgotten password email functionality.
12) Input validation error (CVE-ID: CVE-2013-4199)
The vulnerability allows a remote #AU# to perform service disruption.
(1) cb_decode.py and (2) linkintegrity.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 allow remote authenticated users to cause a denial of service (resource consumption) via a large zip archive, which is expanded (decompressed).
13) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2013-4200)
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
The isURLInPortal method in the URLTool class in in_portal.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 treats URLs starting with a space as a relative URL, which allows remote attackers to bypass the allow_external_login_sites filtering property, redirect users to arbitrary web sites, and conduct phishing attacks via a space before a URL in the "next" parameter to acl_users/credentials_cookie_auth/require_login.
Remediation
Install update from vendor's website.
References
- http://plone.org/products/plone/security/advisories/20130618-announcement
- http://plone.org/products/plone-hotfix/releases/20130618
- http://seclists.org/oss-sec/2013/q3/261
- https://bugzilla.redhat.com/show_bug.cgi?id=978449
- https://bugzilla.redhat.com/show_bug.cgi?id=978450
- https://bugzilla.redhat.com/show_bug.cgi?id=978451
- https://bugzilla.redhat.com/show_bug.cgi?id=978453
- https://bugzilla.redhat.com/show_bug.cgi?id=978464
- https://bugzilla.redhat.com/show_bug.cgi?id=978469
- https://bugzilla.redhat.com/show_bug.cgi?id=978470
- https://bugzilla.redhat.com/show_bug.cgi?id=978471
- https://bugzilla.redhat.com/show_bug.cgi?id=978475
- https://bugzilla.redhat.com/show_bug.cgi?id=978478
- https://bugzilla.redhat.com/show_bug.cgi?id=978480
- https://bugzilla.redhat.com/show_bug.cgi?id=978482
- http://www.openwall.com/lists/oss-security/2013/08/01/2
- http://www.securityfocus.com/archive/1/530787/100/0/threaded
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4200