Main Vulnerability Database Vulnerabilities #VU41940

Permissions, Privileges, and Access Controls in Plone - CVE-2013-4198

Published: March 11, 2014 / Updated: August 10, 2020

Vulnerability identifier: #VU41940

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2013-4198

CWE-ID: CWE-264

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Plone

Affected software:
Plone

Detailed vulnerability description

The vulnerability allows a remote #AU# to manipulate data.

mail_password.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 allows remote authenticated users to bypass the prohibition on password changes via the forgotten password email functionality.

How to mitigate CVE-2013-4198

Install update from vendor's website.

Sources

http://plone.org/products/plone/security/advisories/20130618-announcement
http://plone.org/products/plone-hotfix/releases/20130618
http://seclists.org/oss-sec/2013/q3/261
https://bugzilla.redhat.com/show_bug.cgi?id=978480

Permissions, Privileges, and Access Controls in Plone - CVE-2013-4198

Detailed vulnerability description

How to mitigate CVE-2013-4198

Sources

Please verify you're human