Main Vulnerability Database Vulnerabilities #VU41938

Permissions, Privileges, and Access Controls in Plone - CVE-2013-4196

Published: March 11, 2014 / Updated: August 10, 2020

Vulnerability identifier: #VU41938

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2013-4196

CWE-ID: CWE-264

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Plone

Affected software:
Plone

Detailed vulnerability description

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

The object manager implementation (objectmanager.py) in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 does not properly restrict access to internal methods, which allows remote attackers to obtain sensitive information via a crafted request.

How to mitigate CVE-2013-4196

Install update from vendor's website.

Sources

http://plone.org/products/plone/security/advisories/20130618-announcement
http://plone.org/products/plone-hotfix/releases/20130618
http://seclists.org/oss-sec/2013/q3/261
https://bugzilla.redhat.com/show_bug.cgi?id=978475

Permissions, Privileges, and Access Controls in Plone - CVE-2013-4196

Detailed vulnerability description

How to mitigate CVE-2013-4196

Sources

Please verify you're human