Main Vulnerability Database Vulnerabilities #VU41253

#VU41253 Information disclosure in Plone - CVE-2012-5491

Published: September 30, 2014 / Updated: August 10, 2020

Vulnerability identifier: #VU41253

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2012-5491

CWE-ID: CWE-200

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Plone

Software vendor:
Plone

Description

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

z3c.form, as used in Plone before 4.2.3 and 4.3 before beta 1, allows remote attackers to obtain the default form field values by leveraging knowledge of the form location and the element id.

Remediation

Install update from vendor's website.

External links

http://www.openwall.com/lists/oss-security/2012/11/10/1
https://github.com/plone/Products.CMFPlone/blob/4.2.3/docs/CHANGES.txt
https://plone.org/products/plone/security/advisories/20121106/07
https://plone.org/products/plone-hotfix/releases/20121106