Main Vulnerability Database Vulnerabilities #VU41936

Information disclosure in Plone - CVE-2013-4194

Published: March 11, 2014 / Updated: August 10, 2020

Vulnerability identifier: #VU41936

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2013-4194

CWE-ID: CWE-200

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Plone

Affected software:
Plone

Detailed vulnerability description

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

The WYSIWYG component (wysiwyg.py) in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 allows remote attackers to obtain sensitive information via a crafted URL, which reveals the installation path in an error message.

How to mitigate CVE-2013-4194

Install update from vendor's website.

Sources

http://plone.org/products/plone/security/advisories/20130618-announcement
http://plone.org/products/plone-hotfix/releases/20130618
http://seclists.org/oss-sec/2013/q3/261
https://bugzilla.redhat.com/show_bug.cgi?id=978470

Information disclosure in Plone - CVE-2013-4194

Detailed vulnerability description

How to mitigate CVE-2013-4194

Sources

Please verify you're human