Main Vulnerability Database Vulnerabilities #VU41253

Information disclosure in Plone - CVE-2012-5491

Published: September 30, 2014 / Updated: August 10, 2020

Vulnerability identifier: #VU41253

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2012-5491

CWE-ID: CWE-200

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Plone

Affected software:
Plone

Detailed vulnerability description

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

z3c.form, as used in Plone before 4.2.3 and 4.3 before beta 1, allows remote attackers to obtain the default form field values by leveraging knowledge of the form location and the element id.

How to mitigate CVE-2012-5491

Install update from vendor's website.

Sources

http://www.openwall.com/lists/oss-security/2012/11/10/1
https://github.com/plone/Products.CMFPlone/blob/4.2.3/docs/CHANGES.txt
https://plone.org/products/plone/security/advisories/20121106/07
https://plone.org/products/plone-hotfix/releases/20121106

Information disclosure in Plone - CVE-2012-5491

Detailed vulnerability description

How to mitigate CVE-2012-5491

Sources

Please verify you're human