SB2014093007 - Multiple vulnerabilities in Plone

Description

This security bulletin contains information about 21 secuirty vulnerabilities.

1) Cryptographic issues (CVE-ID: CVE-2012-6661)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

Zope before 2.13.19, as used in Plone before 4.2.3 and 4.3 before beta 1, does not reseed the pseudo-random number generator (PRNG), which makes it easier for remote attackers to guess the value via unspecified vectors. NOTE: this issue was SPLIT from CVE-2012-5508 due to different vulnerability types (ADT2).

2) Cross-site request forgery (CVE-ID: CVE-2012-5500)

The vulnerability allows a remote attacker to perform cross-site request forgery attacks.

The vulnerability exists due to insufficient validation of the HTTP request origin. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.

3) Information disclosure (CVE-ID: CVE-2012-5508)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

The error pages in Plone before 4.2.3 and 4.3 before beta 1 allow remote attackers to obtain random numbers and derive the PRNG state for password resets via unspecified vectors. NOTE: this identifier was SPLIT per ADT2 due to different vulnerability types. CVE-2012-6661 was assigned for the PRNG reseeding issue in Zope.

4) Cross-site scripting (CVE-ID: CVE-2012-5490)

Vulnerability allows a remote attacker to perform Cross-site scripting attacks.

An input validation error exists in kssdevel.py in Plone before 4.2.3 and 4.3 before beta 1. A remote authenticated attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in victim's browser in security context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

5) Information disclosure (CVE-ID: CVE-2012-5491)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

z3c.form, as used in Plone before 4.2.3 and 4.3 before beta 1, allows remote attackers to obtain the default form field values by leveraging knowledge of the form location and the element id.

6) Information disclosure (CVE-ID: CVE-2012-5492)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

uid_catalog.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to obtain metadata about hidden objects via a crafted URL.

7) Code Injection (CVE-ID: CVE-2012-5493)

The vulnerability allows a remote #AU# to execute arbitrary code.

gtbn.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote authenticated users with certain permissions to bypass the Python sandbox and execute arbitrary Python code via unspecified vectors.

8) Cross-site scripting (CVE-ID: CVE-2012-5494)

Vulnerability allows a remote attacker to perform XSS attacks.

The vulnerability is caused by an input validation error in python_scripts.py in Plone before 4.2.3 and 4.3 before beta 1. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in victim's browser in security context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

9) Code Injection (CVE-ID: CVE-2012-5495)

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

python_scripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via a crafted URL, related to "go_back."

10) Information disclosure (CVE-ID: CVE-2012-5497)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

membership_tool.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to enumerate user account names via a crafted URL.

11) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2012-5498)

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

queryCatalog.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to bypass caching and cause a denial of service via a crafted request to a collection.

12) Resource management error (CVE-ID: CVE-2012-5499)

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

python_scripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to cause a denial of service (memory consumption) via a large value, related to formatColumns.

13) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2012-5501)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

at_download.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to read arbitrary BLOBs (Files and Images) stored on custom content types via a crafted URL.

14) Cross-site scripting (CVE-ID: CVE-2012-5502)

Vulnerability allows a remote attacker to perform Cross-site scripting attacks.

An input validation error exists in safe_html.py in Plone before 4.2.3 and 4.3 before beta 1. A remote authenticated attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in victim's browser in security context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

15) Input validation error (CVE-ID: CVE-2012-5503)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

ftp.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to read hidden folder contents via unspecified vectors.

16) Cross-site scripting (CVE-ID: CVE-2012-5504)

Vulnerability allows a remote attacker to perform Cross-site scripting attacks.

An input validation error exists in widget_traversal.py in Plone before 4.2.3 and 4.3 before beta 1. A remote authenticated attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in victim's browser in security context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

17) Information disclosure (CVE-ID: CVE-2012-5505)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

atat.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to read private data structures via a request for a view without a name.

18) Resource management error (CVE-ID: CVE-2012-5506)

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

python_scripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to cause a denial of service (infinite loop) via an RSS feed request for a folder the user does not have permission to access.

19) Code Injection (CVE-ID: CVE-2012-5485)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

registerConfiglet.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via unspecified vectors, related to the admin interface.

20) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2012-5487)

The vulnerability allows a remote #AU# to execute arbitrary code.

The sandbox whitelisting function (allowmodule.py) in Plone before 4.2.3 and 4.3 before beta 1 allows remote authenticated users with certain privileges to bypass the Python sandbox restriction and execute arbitrary Python code via vectors related to importing.

21) Code Injection (CVE-ID: CVE-2012-5488)

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

python_scripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via a crafted URL, related to createObject.

Remediation

Install update from vendor's website.

References

• http://www.openwall.com/lists/oss-security/2012/11/10/1
• https://bugs.launchpad.net/zope2/+bug/1071067
• https://github.com/plone/Products.CMFPlone/blob/4.2.3/docs/CHANGES.txt
• https://plone.org/products/plone/security/advisories/20121106/24
• https://plone.org/products/plone-hotfix/releases/20121124
• http://rhn.redhat.com/errata/RHSA-2014-1194.html
• https://plone.org/products/plone/security/advisories/20121106/16
• https://plone.org/products/plone-hotfix/releases/20121106
• https://plone.org/products/plone/security/advisories/20121106/06
• https://plone.org/products/plone/security/advisories/20121106/07
• https://plone.org/products/plone/security/advisories/20121106/08
• https://plone.org/products/plone/security/advisories/20121106/09
• https://plone.org/products/plone/security/advisories/20121106/10
• https://plone.org/products/plone/security/advisories/20121106/11
• https://plone.org/products/plone/security/advisories/20121106/13
• http://www.openwall.com/lists/oss-security/2012/11/09/7
• https://plone.org/products/plone/security/advisories/20121106/14
• https://plone.org/products/plone/security/advisories/20121106/15
• https://plone.org/products/plone/security/advisories/20121106/17
• https://plone.org/products/plone/security/advisories/20121106/18
• https://plone.org/products/plone/security/advisories/20121106/19
• https://plone.org/products/plone/security/advisories/20121106/20
• https://plone.org/products/plone/security/advisories/20121106/21
• https://plone.org/products/plone/security/advisories/20121106/22
• https://plone.org/products/plone/security/advisories/20121106/01
• https://plone.org/products/plone/security/advisories/20121106/03
• https://plone.org/products/plone/security/advisories/20121106/04