Main Vulnerability Database Vulnerabilities #VU41251

Permissions, Privileges, and Access Controls in Zope - CVE-2012-5489

Published: September 30, 2014 / Updated: June 8, 2025

Vulnerability identifier: #VU41251

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2012-5489

CWE-ID: CWE-264

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Zope

Affected software:
Zope

Detailed vulnerability description

The vulnerability allows a remote user to read and manipulate data.

The App.Undo.UndoSupport.get_request_var_or_attr function in Zope before 2.12.21 and 3.13.x before 2.13.11, as used in Plone before 4.2.3 and 4.3 before beta 1, allows remote authenticated users to gain access to restricted attributes via unspecified vectors.

How to mitigate CVE-2012-5489

Install update from vendor's website.

Sources

http://www.openwall.com/lists/oss-security/2012/11/10/1
https://bugs.launchpad.net/zope2/+bug/1079238
https://github.com/plone/Products.CMFPlone/blob/4.2.3/docs/CHANGES.txt
https://plone.org/products/plone/security/advisories/20121106/05
https://plone.org/products/plone-hotfix/releases/20121106

Permissions, Privileges, and Access Controls in Zope - CVE-2012-5489

Detailed vulnerability description

How to mitigate CVE-2012-5489

Sources

Please verify you're human