Main Vulnerability Database SB2025060836

SB2025060836 - Input validation error in Zope

Published: June 8, 2025 Updated: June 17, 2025

Security Bulletin ID SB2025060836

Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Input validation error (CVE-ID: CVE-2012-5486)

The vulnerability allows a remote non-authenticated attacker to manipulate or delete data.

ZPublisher.HTTPRequest._scrubHeader in Zope 2 before 2.13.19, as used in Plone before 4.3 beta 1, allows remote attackers to inject arbitrary HTTP headers via a linefeed (LF) character.

Remediation

Install update from vendor's website.

References

http://rhn.redhat.com/errata/RHSA-2014-1194.html
http://www.openwall.com/lists/oss-security/2012/11/10/1
https://bugs.launchpad.net/zope2/+bug/930812
https://plone.org/products/plone/security/advisories/20121106/02
https://plone.org/products/plone-hotfix/releases/20121106