Main Vulnerability Database Vulnerabilities #VU41935

Permissions, Privileges, and Access Controls in Plone - CVE-2013-4193

Published: March 11, 2014 / Updated: August 10, 2020

Vulnerability identifier: #VU41935

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2013-4193

CWE-ID: CWE-264

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Plone

Affected software:
Plone

Detailed vulnerability description

The vulnerability allows a remote non-authenticated attacker to manipulate data.

typeswidget.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 does not properly enforce the immutable setting on unspecified content edit forms, which allows remote attackers to hide fields on the forms via a crafted URL.

How to mitigate CVE-2013-4193

Install update from vendor's website.

Sources

http://plone.org/products/plone/security/advisories/20130618-announcement
http://plone.org/products/plone-hotfix/releases/20130618
http://seclists.org/oss-sec/2013/q3/261
https://bugzilla.redhat.com/show_bug.cgi?id=978469

Permissions, Privileges, and Access Controls in Plone - CVE-2013-4193

Detailed vulnerability description

How to mitigate CVE-2013-4193

Sources

Please verify you're human