Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/8151?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/8151?format=api", "purl": "pkg:pypi/plone@4.3rc1", "type": "pypi", "namespace": "", "name": "plone", "version": "4.3rc1", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "5.2.5", "latest_non_vulnerable_version": "6.0.7", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/35035?format=api", "vulnerability_id": "VCID-17w2-gd3m-2qff", "summary": "z3c.form in Plone CMS 5.x through 5.0.6 and 4.x through 4.3.11 allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted GET request.", "references": [ { "reference_url": "http://packetstormsecurity.com/files/139110/Plone-CMS-4.3.11-5.0.6-XSS-Traversal-Open-Redirection.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://packetstormsecurity.com/files/139110/Plone-CMS-4.3.11-5.0.6-XSS-Traversal-Open-Redirection.html" }, { "reference_url": "http://seclists.org/fulldisclosure/2016/Oct/80", "reference_id": "", "reference_type": "", "scores": [], "url": "http://seclists.org/fulldisclosure/2016/Oct/80" }, { "reference_url": "https://github.com/plone/Plone", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/plone/Plone" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/plone/PYSEC-2017-59.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/plone/PYSEC-2017-59.yaml" }, { "reference_url": "https://plone.org/security/hotfix/20160830/non-persistent-xss-in-plone-forms", "reference_id": "", "reference_type": "", "scores": [], "url": "https://plone.org/security/hotfix/20160830/non-persistent-xss-in-plone-forms" }, { "reference_url": "https://web.archive.org/web/20210625091607/http://www.securityfocus.com/bid/92752", "reference_id": "", "reference_type": "", "scores": [], "url": "https://web.archive.org/web/20210625091607/http://www.securityfocus.com/bid/92752" }, { "reference_url": "https://web.archive.org/web/20210625092107/http://www.securityfocus.com/archive/1/539572/100/0/threaded", "reference_id": "", "reference_type": "", "scores": [], "url": "https://web.archive.org/web/20210625092107/http://www.securityfocus.com/archive/1/539572/100/0/threaded" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2016/09/05/4", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.openwall.com/lists/oss-security/2016/09/05/4" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2016/09/05/5", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.openwall.com/lists/oss-security/2016/09/05/5" }, { "reference_url": "http://www.securityfocus.com/archive/1/539572/100/0/threaded", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.securityfocus.com/archive/1/539572/100/0/threaded" }, { "reference_url": "http://www.securityfocus.com/bid/92752", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.securityfocus.com/bid/92752" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2016-7136", "reference_id": "CVE-2016-7136", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-7136" }, { "reference_url": "https://github.com/advisories/GHSA-22jm-p2vv-j2hc", "reference_id": "GHSA-22jm-p2vv-j2hc", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-22jm-p2vv-j2hc" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/9624?format=api", "purl": "pkg:pypi/plone@4.3.12", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5ry7-xy6b-5fag" }, { "vulnerability": "VCID-69ps-uetw-y3gf" }, { "vulnerability": "VCID-8rp3-p3qe-x7ej" }, { "vulnerability": "VCID-8wkk-84ky-17ak" }, { "vulnerability": "VCID-9gu8-dgkr-sua3" }, { "vulnerability": "VCID-ax8a-2g7j-6ya2" }, { "vulnerability": "VCID-basq-jjsf-3fbd" }, { "vulnerability": "VCID-bmwk-nutp-r3fs" }, { "vulnerability": "VCID-cpwq-sq8b-4yhf" }, { "vulnerability": "VCID-d42u-s7za-a3ad" }, { "vulnerability": "VCID-dg61-tw4u-dbcc" }, { "vulnerability": "VCID-edq7-7ncc-mbfx" }, { "vulnerability": "VCID-eu4z-htaq-c3d6" }, { "vulnerability": "VCID-exan-4j3e-2qeh" }, { "vulnerability": "VCID-fdpc-runu-ekah" }, { "vulnerability": "VCID-j8fv-uhxw-jkcw" }, { "vulnerability": "VCID-p71t-er3d-9fdn" }, { "vulnerability": "VCID-pzke-4by2-w3hk" }, { "vulnerability": "VCID-q7nt-b3s9-9kf6" }, { "vulnerability": "VCID-r52t-hx1j-ufa1" }, { "vulnerability": "VCID-x2xm-hpc2-uubq" }, { "vulnerability": "VCID-z4jt-v88h-77er" }, { "vulnerability": "VCID-zwnj-revc-vbd6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/plone@4.3.12" }, { "url": "http://public2.vulnerablecode.io/api/packages/9625?format=api", "purl": "pkg:pypi/plone@5.0.7", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-29gf-82fr-k3h8" }, { "vulnerability": "VCID-5ry7-xy6b-5fag" }, { "vulnerability": "VCID-69ps-uetw-y3gf" }, { "vulnerability": "VCID-8rp3-p3qe-x7ej" }, { "vulnerability": "VCID-8wkk-84ky-17ak" }, { "vulnerability": "VCID-951j-w95x-83g8" }, { "vulnerability": "VCID-9gu8-dgkr-sua3" }, { "vulnerability": "VCID-ax8a-2g7j-6ya2" }, { "vulnerability": "VCID-basq-jjsf-3fbd" }, { "vulnerability": "VCID-bmwk-nutp-r3fs" }, { "vulnerability": "VCID-d42u-s7za-a3ad" }, { "vulnerability": "VCID-dg61-tw4u-dbcc" }, { "vulnerability": "VCID-edq7-7ncc-mbfx" }, { "vulnerability": "VCID-eu4z-htaq-c3d6" }, { "vulnerability": "VCID-exan-4j3e-2qeh" }, { "vulnerability": "VCID-fdpc-runu-ekah" }, { "vulnerability": "VCID-j8fv-uhxw-jkcw" }, { "vulnerability": "VCID-jvvz-bafs-t7gc" }, { "vulnerability": "VCID-p71t-er3d-9fdn" }, { "vulnerability": "VCID-pzke-4by2-w3hk" }, { "vulnerability": "VCID-q7nt-b3s9-9kf6" }, { "vulnerability": "VCID-r52t-hx1j-ufa1" }, { "vulnerability": "VCID-x2xm-hpc2-uubq" }, { "vulnerability": "VCID-z4jt-v88h-77er" }, { "vulnerability": "VCID-zwnj-revc-vbd6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/plone@5.0.7" } ], "aliases": [ "CVE-2016-7136", "GHSA-22jm-p2vv-j2hc", "PYSEC-2017-59" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-17w2-gd3m-2qff" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/35037?format=api", "vulnerability_id": "VCID-5n6e-cha8-nyb8", "summary": "Cross-site scripting (XSS) vulnerability in the URL checking infrastructure in Plone CMS 5.x through 5.0.6, 4.x through 4.3.11, and 3.3.x through 3.3.6 allows remote attackers to inject arbitrary web script or HTML via a crafted URL.", "references": [ { "reference_url": "http://packetstormsecurity.com/files/139110/Plone-CMS-4.3.11-5.0.6-XSS-Traversal-Open-Redirection.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://packetstormsecurity.com/files/139110/Plone-CMS-4.3.11-5.0.6-XSS-Traversal-Open-Redirection.html" }, { "reference_url": "http://seclists.org/fulldisclosure/2016/Oct/80", "reference_id": "", "reference_type": "", "scores": [], "url": "http://seclists.org/fulldisclosure/2016/Oct/80" }, { "reference_url": "https://github.com/plone/Plone", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/plone/Plone" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/plone/PYSEC-2017-61.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/plone/PYSEC-2017-61.yaml" }, { "reference_url": "https://plone.org/security/hotfix/20160830/non-persistent-xss-in-plone-1", "reference_id": "", "reference_type": "", "scores": [], "url": "https://plone.org/security/hotfix/20160830/non-persistent-xss-in-plone-1" }, { "reference_url": "https://web.archive.org/web/20210625091607/http://www.securityfocus.com/bid/92752", "reference_id": "", "reference_type": "", "scores": [], "url": "https://web.archive.org/web/20210625091607/http://www.securityfocus.com/bid/92752" }, { "reference_url": "https://web.archive.org/web/20210625092107/http://www.securityfocus.com/archive/1/539572/100/0/threaded", "reference_id": "", "reference_type": "", "scores": [], "url": "https://web.archive.org/web/20210625092107/http://www.securityfocus.com/archive/1/539572/100/0/threaded" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2016/09/05/4", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.openwall.com/lists/oss-security/2016/09/05/4" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2016/09/05/5", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.openwall.com/lists/oss-security/2016/09/05/5" }, { "reference_url": "http://www.securityfocus.com/archive/1/539572/100/0/threaded", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.securityfocus.com/archive/1/539572/100/0/threaded" }, { "reference_url": "http://www.securityfocus.com/bid/92752", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.securityfocus.com/bid/92752" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2016-7138", "reference_id": "CVE-2016-7138", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-7138" }, { "reference_url": "https://github.com/advisories/GHSA-v3hp-f8qr-cf3p", "reference_id": "GHSA-v3hp-f8qr-cf3p", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-v3hp-f8qr-cf3p" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/9624?format=api", "purl": "pkg:pypi/plone@4.3.12", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5ry7-xy6b-5fag" }, { "vulnerability": "VCID-69ps-uetw-y3gf" }, { "vulnerability": "VCID-8rp3-p3qe-x7ej" }, { "vulnerability": "VCID-8wkk-84ky-17ak" }, { "vulnerability": "VCID-9gu8-dgkr-sua3" }, { "vulnerability": "VCID-ax8a-2g7j-6ya2" }, { "vulnerability": "VCID-basq-jjsf-3fbd" }, { "vulnerability": "VCID-bmwk-nutp-r3fs" }, { "vulnerability": "VCID-cpwq-sq8b-4yhf" }, { "vulnerability": "VCID-d42u-s7za-a3ad" }, { "vulnerability": "VCID-dg61-tw4u-dbcc" }, { "vulnerability": "VCID-edq7-7ncc-mbfx" }, { "vulnerability": "VCID-eu4z-htaq-c3d6" }, { "vulnerability": "VCID-exan-4j3e-2qeh" }, { "vulnerability": "VCID-fdpc-runu-ekah" }, { "vulnerability": "VCID-j8fv-uhxw-jkcw" }, { "vulnerability": "VCID-p71t-er3d-9fdn" }, { "vulnerability": "VCID-pzke-4by2-w3hk" }, { "vulnerability": "VCID-q7nt-b3s9-9kf6" }, { "vulnerability": "VCID-r52t-hx1j-ufa1" }, { "vulnerability": "VCID-x2xm-hpc2-uubq" }, { "vulnerability": "VCID-z4jt-v88h-77er" }, { "vulnerability": "VCID-zwnj-revc-vbd6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/plone@4.3.12" }, { "url": "http://public2.vulnerablecode.io/api/packages/9625?format=api", "purl": "pkg:pypi/plone@5.0.7", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-29gf-82fr-k3h8" }, { "vulnerability": "VCID-5ry7-xy6b-5fag" }, { "vulnerability": "VCID-69ps-uetw-y3gf" }, { "vulnerability": "VCID-8rp3-p3qe-x7ej" }, { "vulnerability": "VCID-8wkk-84ky-17ak" }, { "vulnerability": "VCID-951j-w95x-83g8" }, { "vulnerability": "VCID-9gu8-dgkr-sua3" }, { "vulnerability": "VCID-ax8a-2g7j-6ya2" }, { "vulnerability": "VCID-basq-jjsf-3fbd" }, { "vulnerability": "VCID-bmwk-nutp-r3fs" }, { "vulnerability": "VCID-d42u-s7za-a3ad" }, { "vulnerability": "VCID-dg61-tw4u-dbcc" }, { "vulnerability": "VCID-edq7-7ncc-mbfx" }, { "vulnerability": "VCID-eu4z-htaq-c3d6" }, { "vulnerability": "VCID-exan-4j3e-2qeh" }, { "vulnerability": "VCID-fdpc-runu-ekah" }, { "vulnerability": "VCID-j8fv-uhxw-jkcw" }, { "vulnerability": "VCID-jvvz-bafs-t7gc" }, { "vulnerability": "VCID-p71t-er3d-9fdn" }, { "vulnerability": "VCID-pzke-4by2-w3hk" }, { "vulnerability": "VCID-q7nt-b3s9-9kf6" }, { "vulnerability": "VCID-r52t-hx1j-ufa1" }, { "vulnerability": "VCID-x2xm-hpc2-uubq" }, { "vulnerability": "VCID-z4jt-v88h-77er" }, { "vulnerability": "VCID-zwnj-revc-vbd6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/plone@5.0.7" } ], "aliases": [ "CVE-2016-7138", "GHSA-v3hp-f8qr-cf3p", "PYSEC-2017-61" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-5n6e-cha8-nyb8" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/35163?format=api", "vulnerability_id": "VCID-5ry7-xy6b-5fag", "summary": "Accessing private content via str.format in through-the-web templates and scripts in Plone 2.5-5.1rc1. This improves an earlier hotfix. Since the format method was introduced in Python 2.6, this part of the hotfix is only relevant for Plone 4 and 5.", "references": [ { "reference_url": "https://github.com/plone/Plone", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/plone/Plone" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/plone/PYSEC-2018-72.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/plone/PYSEC-2018-72.yaml" }, { "reference_url": "https://plone.org/security/hotfix/20171128/sandbox-escape", "reference_id": "", "reference_type": "", "scores": [], "url": "https://plone.org/security/hotfix/20171128/sandbox-escape" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000483", "reference_id": "CVE-2017-1000483", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000483" }, { "reference_url": "https://github.com/advisories/GHSA-qc57-h2f7-p4hx", "reference_id": "GHSA-qc57-h2f7-p4hx", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-qc57-h2f7-p4hx" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/9718?format=api", "purl": "pkg:pypi/plone@4.3.16", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-8rp3-p3qe-x7ej" }, { "vulnerability": "VCID-8wkk-84ky-17ak" }, { "vulnerability": "VCID-9gu8-dgkr-sua3" }, { "vulnerability": "VCID-ax8a-2g7j-6ya2" }, { "vulnerability": "VCID-basq-jjsf-3fbd" }, { "vulnerability": "VCID-bmwk-nutp-r3fs" }, { "vulnerability": "VCID-cpwq-sq8b-4yhf" }, { "vulnerability": "VCID-d42u-s7za-a3ad" }, { "vulnerability": "VCID-edq7-7ncc-mbfx" }, { "vulnerability": "VCID-eu4z-htaq-c3d6" }, { "vulnerability": "VCID-exan-4j3e-2qeh" }, { "vulnerability": "VCID-fdpc-runu-ekah" }, { "vulnerability": "VCID-j8fv-uhxw-jkcw" }, { "vulnerability": "VCID-p71t-er3d-9fdn" }, { "vulnerability": "VCID-pzke-4by2-w3hk" }, { "vulnerability": "VCID-q7nt-b3s9-9kf6" }, { "vulnerability": "VCID-r52t-hx1j-ufa1" }, { "vulnerability": "VCID-x2xm-hpc2-uubq" }, { "vulnerability": "VCID-z4jt-v88h-77er" }, { "vulnerability": "VCID-zwnj-revc-vbd6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/plone@4.3.16" }, { "url": "http://public2.vulnerablecode.io/api/packages/10591?format=api", "purl": "pkg:pypi/plone@5.1.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-29gf-82fr-k3h8" }, { "vulnerability": "VCID-8rp3-p3qe-x7ej" }, { "vulnerability": "VCID-8wkk-84ky-17ak" }, { "vulnerability": "VCID-951j-w95x-83g8" }, { "vulnerability": "VCID-9gu8-dgkr-sua3" }, { "vulnerability": "VCID-ax8a-2g7j-6ya2" }, { "vulnerability": "VCID-basq-jjsf-3fbd" }, { "vulnerability": "VCID-bmwk-nutp-r3fs" }, { "vulnerability": "VCID-d42u-s7za-a3ad" }, { "vulnerability": "VCID-eu4z-htaq-c3d6" }, { "vulnerability": "VCID-exan-4j3e-2qeh" }, { "vulnerability": "VCID-fdpc-runu-ekah" }, { "vulnerability": "VCID-j8fv-uhxw-jkcw" }, { "vulnerability": "VCID-p71t-er3d-9fdn" }, { "vulnerability": "VCID-q7nt-b3s9-9kf6" }, { "vulnerability": "VCID-r52t-hx1j-ufa1" }, { "vulnerability": "VCID-x2xm-hpc2-uubq" }, { "vulnerability": "VCID-z4jt-v88h-77er" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/plone@5.1.0" } ], "aliases": [ "CVE-2017-1000483", "GHSA-qc57-h2f7-p4hx", "PYSEC-2018-72" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-5ry7-xy6b-5fag" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/35042?format=api", "vulnerability_id": "VCID-6568-4ert-1bau", "summary": "Plone 4.x through 4.3.11 and 5.x through 5.0.6 allow remote attackers to bypass a sandbox protection mechanism and obtain sensitive information by leveraging the Python string format method.", "references": [ { "reference_url": "https://github.com/advisories/GHSA-p5wr-vp8g-q5p4", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-p5wr-vp8g-q5p4" }, { "reference_url": "https://github.com/plone/Products.CMFPlone/commit/a7d47692058e10ce89968e7ca4dacbdf44fcad4f", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/plone/Products.CMFPlone/commit/a7d47692058e10ce89968e7ca4dacbdf44fcad4f" }, { "reference_url": "https://github.com/plone/Products.CMFPlone/pull/1912", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/plone/Products.CMFPlone/pull/1912" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/plone/PYSEC-2017-81.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/plone/PYSEC-2017-81.yaml" }, { "reference_url": "https://plone.org/security/hotfix/20170117/sandbox-escape", "reference_id": "", "reference_type": "", "scores": [], "url": "https://plone.org/security/hotfix/20170117/sandbox-escape" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2017/01/18/6", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.openwall.com/lists/oss-security/2017/01/18/6" }, { "reference_url": "http://www.securityfocus.com/bid/95679", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.securityfocus.com/bid/95679" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2017-5524", "reference_id": "CVE-2017-5524", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-5524" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/9624?format=api", "purl": "pkg:pypi/plone@4.3.12", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5ry7-xy6b-5fag" }, { "vulnerability": "VCID-69ps-uetw-y3gf" }, { "vulnerability": "VCID-8rp3-p3qe-x7ej" }, { "vulnerability": "VCID-8wkk-84ky-17ak" }, { "vulnerability": "VCID-9gu8-dgkr-sua3" }, { "vulnerability": "VCID-ax8a-2g7j-6ya2" }, { "vulnerability": "VCID-basq-jjsf-3fbd" }, { "vulnerability": "VCID-bmwk-nutp-r3fs" }, { "vulnerability": "VCID-cpwq-sq8b-4yhf" }, { "vulnerability": "VCID-d42u-s7za-a3ad" }, { "vulnerability": "VCID-dg61-tw4u-dbcc" }, { "vulnerability": "VCID-edq7-7ncc-mbfx" }, { "vulnerability": "VCID-eu4z-htaq-c3d6" }, { "vulnerability": "VCID-exan-4j3e-2qeh" }, { "vulnerability": "VCID-fdpc-runu-ekah" }, { "vulnerability": "VCID-j8fv-uhxw-jkcw" }, { "vulnerability": "VCID-p71t-er3d-9fdn" }, { "vulnerability": "VCID-pzke-4by2-w3hk" }, { "vulnerability": "VCID-q7nt-b3s9-9kf6" }, { "vulnerability": "VCID-r52t-hx1j-ufa1" }, { "vulnerability": "VCID-x2xm-hpc2-uubq" }, { "vulnerability": "VCID-z4jt-v88h-77er" }, { "vulnerability": "VCID-zwnj-revc-vbd6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/plone@4.3.12" }, { "url": "http://public2.vulnerablecode.io/api/packages/9625?format=api", "purl": "pkg:pypi/plone@5.0.7", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-29gf-82fr-k3h8" }, { "vulnerability": "VCID-5ry7-xy6b-5fag" }, { "vulnerability": "VCID-69ps-uetw-y3gf" }, { "vulnerability": "VCID-8rp3-p3qe-x7ej" }, { "vulnerability": "VCID-8wkk-84ky-17ak" }, { "vulnerability": "VCID-951j-w95x-83g8" }, { "vulnerability": "VCID-9gu8-dgkr-sua3" }, { "vulnerability": "VCID-ax8a-2g7j-6ya2" }, { "vulnerability": "VCID-basq-jjsf-3fbd" }, { "vulnerability": "VCID-bmwk-nutp-r3fs" }, { "vulnerability": "VCID-d42u-s7za-a3ad" }, { "vulnerability": "VCID-dg61-tw4u-dbcc" }, { "vulnerability": "VCID-edq7-7ncc-mbfx" }, { "vulnerability": "VCID-eu4z-htaq-c3d6" }, { "vulnerability": "VCID-exan-4j3e-2qeh" }, { "vulnerability": "VCID-fdpc-runu-ekah" }, { "vulnerability": "VCID-j8fv-uhxw-jkcw" }, { "vulnerability": "VCID-jvvz-bafs-t7gc" }, { "vulnerability": "VCID-p71t-er3d-9fdn" }, { "vulnerability": "VCID-pzke-4by2-w3hk" }, { "vulnerability": "VCID-q7nt-b3s9-9kf6" }, { "vulnerability": "VCID-r52t-hx1j-ufa1" }, { "vulnerability": "VCID-x2xm-hpc2-uubq" }, { "vulnerability": "VCID-z4jt-v88h-77er" }, { "vulnerability": "VCID-zwnj-revc-vbd6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/plone@5.0.7" }, { "url": "http://public2.vulnerablecode.io/api/packages/10585?format=api", "purl": "pkg:pypi/plone@5.1b1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-29gf-82fr-k3h8" }, { "vulnerability": "VCID-5ry7-xy6b-5fag" }, { "vulnerability": "VCID-69ps-uetw-y3gf" }, { "vulnerability": "VCID-8rp3-p3qe-x7ej" }, { "vulnerability": "VCID-8wkk-84ky-17ak" }, { "vulnerability": "VCID-951j-w95x-83g8" }, { "vulnerability": "VCID-9gu8-dgkr-sua3" }, { "vulnerability": "VCID-ax8a-2g7j-6ya2" }, { "vulnerability": "VCID-basq-jjsf-3fbd" }, { "vulnerability": "VCID-bmwk-nutp-r3fs" }, { "vulnerability": "VCID-d42u-s7za-a3ad" }, { "vulnerability": "VCID-dg61-tw4u-dbcc" }, { "vulnerability": "VCID-edq7-7ncc-mbfx" }, { "vulnerability": "VCID-eu4z-htaq-c3d6" }, { "vulnerability": "VCID-exan-4j3e-2qeh" }, { "vulnerability": "VCID-fdpc-runu-ekah" }, { "vulnerability": "VCID-j8fv-uhxw-jkcw" }, { "vulnerability": "VCID-p71t-er3d-9fdn" }, { "vulnerability": "VCID-q7nt-b3s9-9kf6" }, { "vulnerability": "VCID-r52t-hx1j-ufa1" }, { "vulnerability": "VCID-x2xm-hpc2-uubq" }, { "vulnerability": "VCID-z4jt-v88h-77er" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/plone@5.1b1" } ], "aliases": [ "CVE-2017-5524", "GHSA-p5wr-vp8g-q5p4", "PYSEC-2017-81" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-6568-4ert-1bau" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/35162?format=api", "vulnerability_id": "VCID-69ps-uetw-y3gf", "summary": "A member of the Plone 2.5-5.1rc1 site could set javascript in the home_page property of his profile, and have this executed when a visitor click the home page link on the author page.", "references": [ { "reference_url": "https://github.com/plone/Products.CMFPlone", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/plone/Products.CMFPlone" }, { "reference_url": "https://github.com/plone/Products.CMFPlone/commit/05a943ecbcdda56bacc93b55c9e2e908d8a7dfab", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/plone/Products.CMFPlone/commit/05a943ecbcdda56bacc93b55c9e2e908d8a7dfab" }, { "reference_url": "https://github.com/plone/Products.CMFPlone/commit/0e50e1e67ea3b6d3187f78cb1a1628081f654d3b", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/plone/Products.CMFPlone/commit/0e50e1e67ea3b6d3187f78cb1a1628081f654d3b" }, { "reference_url": "https://github.com/plone/Products.CMFPlone/commit/236b62b756ff46a92783b3897e717dfb15eb07d8", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/plone/Products.CMFPlone/commit/236b62b756ff46a92783b3897e717dfb15eb07d8" }, { "reference_url": "https://github.com/plone/Products.CMFPlone/commit/7db5b2c8fb684055987b8c4fdedc29289bd26373", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/plone/Products.CMFPlone/commit/7db5b2c8fb684055987b8c4fdedc29289bd26373" }, { "reference_url": "https://github.com/plone/Products.CMFPlone/issues/2232", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/plone/Products.CMFPlone/issues/2232" }, { "reference_url": "https://github.com/plone/Products.CMFPlone/pull/2233", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/plone/Products.CMFPlone/pull/2233" }, { "reference_url": "https://github.com/plone/Products.CMFPlone/pull/2234", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/plone/Products.CMFPlone/pull/2234" }, { "reference_url": "https://github.com/plone/Products.CMFPlone/pull/2235", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/plone/Products.CMFPlone/pull/2235" }, { "reference_url": "https://github.com/plone/Products.CMFPlone/pull/2236", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/plone/Products.CMFPlone/pull/2236" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/plone/PYSEC-2018-71.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/plone/PYSEC-2018-71.yaml" }, { "reference_url": "https://plone.org/security/hotfix/20171128/xss-using-the-home_page-member-property", "reference_id": "", "reference_type": "", "scores": [], "url": "https://plone.org/security/hotfix/20171128/xss-using-the-home_page-member-property" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000482", "reference_id": "CVE-2017-1000482", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000482" }, { "reference_url": "https://github.com/advisories/GHSA-859j-668v-mrr6", "reference_id": "GHSA-859j-668v-mrr6", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-859j-668v-mrr6" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/9718?format=api", "purl": "pkg:pypi/plone@4.3.16", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-8rp3-p3qe-x7ej" }, { "vulnerability": "VCID-8wkk-84ky-17ak" }, { "vulnerability": "VCID-9gu8-dgkr-sua3" }, { "vulnerability": "VCID-ax8a-2g7j-6ya2" }, { "vulnerability": "VCID-basq-jjsf-3fbd" }, { "vulnerability": "VCID-bmwk-nutp-r3fs" }, { "vulnerability": "VCID-cpwq-sq8b-4yhf" }, { "vulnerability": "VCID-d42u-s7za-a3ad" }, { "vulnerability": "VCID-edq7-7ncc-mbfx" }, { "vulnerability": "VCID-eu4z-htaq-c3d6" }, { "vulnerability": "VCID-exan-4j3e-2qeh" }, { "vulnerability": "VCID-fdpc-runu-ekah" }, { "vulnerability": "VCID-j8fv-uhxw-jkcw" }, { "vulnerability": "VCID-p71t-er3d-9fdn" }, { "vulnerability": "VCID-pzke-4by2-w3hk" }, { "vulnerability": "VCID-q7nt-b3s9-9kf6" }, { "vulnerability": "VCID-r52t-hx1j-ufa1" }, { "vulnerability": "VCID-x2xm-hpc2-uubq" }, { "vulnerability": "VCID-z4jt-v88h-77er" }, { "vulnerability": "VCID-zwnj-revc-vbd6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/plone@4.3.16" }, { "url": "http://public2.vulnerablecode.io/api/packages/10591?format=api", "purl": "pkg:pypi/plone@5.1.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-29gf-82fr-k3h8" }, { "vulnerability": "VCID-8rp3-p3qe-x7ej" }, { "vulnerability": "VCID-8wkk-84ky-17ak" }, { "vulnerability": "VCID-951j-w95x-83g8" }, { "vulnerability": "VCID-9gu8-dgkr-sua3" }, { "vulnerability": "VCID-ax8a-2g7j-6ya2" }, { "vulnerability": "VCID-basq-jjsf-3fbd" }, { "vulnerability": "VCID-bmwk-nutp-r3fs" }, { "vulnerability": "VCID-d42u-s7za-a3ad" }, { "vulnerability": "VCID-eu4z-htaq-c3d6" }, { "vulnerability": "VCID-exan-4j3e-2qeh" }, { "vulnerability": "VCID-fdpc-runu-ekah" }, { "vulnerability": "VCID-j8fv-uhxw-jkcw" }, { "vulnerability": "VCID-p71t-er3d-9fdn" }, { "vulnerability": "VCID-q7nt-b3s9-9kf6" }, { "vulnerability": "VCID-r52t-hx1j-ufa1" }, { "vulnerability": "VCID-x2xm-hpc2-uubq" }, { "vulnerability": "VCID-z4jt-v88h-77er" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/plone@5.1.0" } ], "aliases": [ "CVE-2017-1000482", "GHSA-859j-668v-mrr6", "PYSEC-2018-71" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-69ps-uetw-y3gf" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/35702?format=api", "vulnerability_id": "VCID-8rp3-p3qe-x7ej", "summary": "Plone before 5.2.3 allows XXE attacks via a feature that is protected by an unapplied permission of plone.schemaeditor.ManageSchemata (therefore, only available to the Manager role).", "references": [ { "reference_url": "https://dist.plone.org/release/5.2.3/RELEASE-NOTES.txt", "reference_id": "", "reference_type": "", "scores": [], "url": "https://dist.plone.org/release/5.2.3/RELEASE-NOTES.txt" }, { "reference_url": "https://github.com/advisories/GHSA-2c8c-84w2-j38j", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-2c8c-84w2-j38j" }, { "reference_url": "https://github.com/plone/Products.CMFPlone/issues/3209", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/plone/Products.CMFPlone/issues/3209" }, { "reference_url": "https://www.misakikata.com/codes/plone/python-en.html", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.misakikata.com/codes/plone/python-en.html" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/19507?format=api", "purl": "pkg:pypi/plone@5.2.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-29gf-82fr-k3h8" }, { "vulnerability": "VCID-ax8a-2g7j-6ya2" }, { "vulnerability": "VCID-basq-jjsf-3fbd" }, { "vulnerability": "VCID-d42u-s7za-a3ad" }, { "vulnerability": "VCID-eu4z-htaq-c3d6" }, { "vulnerability": "VCID-p71t-er3d-9fdn" }, { "vulnerability": "VCID-q7nt-b3s9-9kf6" }, { "vulnerability": "VCID-r52t-hx1j-ufa1" }, { "vulnerability": "VCID-x2xm-hpc2-uubq" }, { "vulnerability": "VCID-z4jt-v88h-77er" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/plone@5.2.3" } ], "aliases": [ "CVE-2020-28736", "GHSA-2c8c-84w2-j38j", "PYSEC-2020-248" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-8rp3-p3qe-x7ej" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/35491?format=api", "vulnerability_id": "VCID-9gu8-dgkr-sua3", "summary": "An open redirect on the login form (and possibly other places) in Plone 4.0 through 5.2.1 allows an attacker to craft a link to a Plone Site that, when followed, and possibly after login, will redirect to an attacker's site.", "references": [ { "reference_url": "https://plone.org/security/hotfix/20200121", "reference_id": "", "reference_type": "", "scores": [], "url": "https://plone.org/security/hotfix/20200121" }, { "reference_url": "https://plone.org/security/hotfix/20200121/an-open-redirection-on-the-login-form-and-possibly-other-places", "reference_id": "", "reference_type": "", "scores": [], "url": "https://plone.org/security/hotfix/20200121/an-open-redirection-on-the-login-form-and-possibly-other-places" }, { "reference_url": "https://www.openwall.com/lists/oss-security/2020/01/22/1", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.openwall.com/lists/oss-security/2020/01/22/1" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2020/01/24/1", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.openwall.com/lists/oss-security/2020/01/24/1" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/14881?format=api", "purl": "pkg:pypi/plone@5.2.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-29gf-82fr-k3h8" }, { "vulnerability": "VCID-8rp3-p3qe-x7ej" }, { "vulnerability": "VCID-ax8a-2g7j-6ya2" }, { "vulnerability": "VCID-basq-jjsf-3fbd" }, { "vulnerability": "VCID-d42u-s7za-a3ad" }, { "vulnerability": "VCID-eu4z-htaq-c3d6" }, { "vulnerability": "VCID-exan-4j3e-2qeh" }, { "vulnerability": "VCID-fdpc-runu-ekah" }, { "vulnerability": "VCID-p71t-er3d-9fdn" }, { "vulnerability": "VCID-q7nt-b3s9-9kf6" }, { "vulnerability": "VCID-r52t-hx1j-ufa1" }, { "vulnerability": "VCID-x2xm-hpc2-uubq" }, { "vulnerability": "VCID-z4jt-v88h-77er" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/plone@5.2.2" } ], "aliases": [ "CVE-2020-7936", "PYSEC-2020-85" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-9gu8-dgkr-sua3" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/35806?format=api", "vulnerability_id": "VCID-ax8a-2g7j-6ya2", "summary": "Plone through 5.2.4 allows XSS via the inline_diff methods in Products.CMFDiffTool.", "references": [ { "reference_url": "https://github.com/advisories/GHSA-fj67-w3m4-rfmp", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-fj67-w3m4-rfmp" }, { "reference_url": "https://plone.org/security/hotfix/20210518/xss-vulnerability-in-cmfdifftool", "reference_id": "", "reference_type": "", "scores": [], "url": "https://plone.org/security/hotfix/20210518/xss-vulnerability-in-cmfdifftool" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2021/05/22/1", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.openwall.com/lists/oss-security/2021/05/22/1" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/22026?format=api", "purl": "pkg:pypi/plone@5.2.5", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/plone@5.2.5" } ], "aliases": [ "CVE-2021-33513", "GHSA-fj67-w3m4-rfmp", "PYSEC-2021-85" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ax8a-2g7j-6ya2" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/35033?format=api", "vulnerability_id": "VCID-ay85-551m-vfej", "summary": "Multiple open redirect vulnerabilities in Plone CMS 5.x through 5.0.6, 4.x through 4.3.11, and 3.3.x through 3.3.6 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the referer parameter to (1) %2b%2bgroupdashboard%2b%2bplone.dashboard1%2bgroup/%2b/portlets.Actions or (2) folder/%2b%2bcontextportlets%2b%2bplone.footerportlets/%2b /portlets.Actions or the (3) came_from parameter to /login_form.", "references": [ { "reference_url": "http://packetstormsecurity.com/files/139110/Plone-CMS-4.3.11-5.0.6-XSS-Traversal-Open-Redirection.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://packetstormsecurity.com/files/139110/Plone-CMS-4.3.11-5.0.6-XSS-Traversal-Open-Redirection.html" }, { "reference_url": "http://seclists.org/fulldisclosure/2016/Oct/80", "reference_id": "", "reference_type": "", "scores": [], "url": "http://seclists.org/fulldisclosure/2016/Oct/80" }, { "reference_url": "https://github.com/plone/Plone", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/plone/Plone" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/plone/PYSEC-2017-60.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/plone/PYSEC-2017-60.yaml" }, { "reference_url": "https://plone.org/security/hotfix/20160830/open-redirection-in-plone", "reference_id": "", "reference_type": "", "scores": [], "url": "https://plone.org/security/hotfix/20160830/open-redirection-in-plone" }, { "reference_url": "https://web.archive.org/web/20210625091607/http://www.securityfocus.com/bid/92752", "reference_id": "", "reference_type": "", "scores": [], "url": "https://web.archive.org/web/20210625091607/http://www.securityfocus.com/bid/92752" }, { "reference_url": "https://web.archive.org/web/20210625092107/http://www.securityfocus.com/archive/1/539572/100/0/threaded", "reference_id": "", "reference_type": "", "scores": [], "url": "https://web.archive.org/web/20210625092107/http://www.securityfocus.com/archive/1/539572/100/0/threaded" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2016/09/05/4", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.openwall.com/lists/oss-security/2016/09/05/4" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2016/09/05/5", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.openwall.com/lists/oss-security/2016/09/05/5" }, { "reference_url": "http://www.securityfocus.com/archive/1/539572/100/0/threaded", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.securityfocus.com/archive/1/539572/100/0/threaded" }, { "reference_url": "http://www.securityfocus.com/bid/92752", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.securityfocus.com/bid/92752" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2016-7137", "reference_id": "CVE-2016-7137", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-7137" }, { "reference_url": "https://github.com/advisories/GHSA-69vh-662j-v988", "reference_id": "GHSA-69vh-662j-v988", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-69vh-662j-v988" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/9624?format=api", "purl": "pkg:pypi/plone@4.3.12", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5ry7-xy6b-5fag" }, { "vulnerability": "VCID-69ps-uetw-y3gf" }, { "vulnerability": "VCID-8rp3-p3qe-x7ej" }, { "vulnerability": "VCID-8wkk-84ky-17ak" }, { "vulnerability": "VCID-9gu8-dgkr-sua3" }, { "vulnerability": "VCID-ax8a-2g7j-6ya2" }, { "vulnerability": "VCID-basq-jjsf-3fbd" }, { "vulnerability": "VCID-bmwk-nutp-r3fs" }, { "vulnerability": "VCID-cpwq-sq8b-4yhf" }, { "vulnerability": "VCID-d42u-s7za-a3ad" }, { "vulnerability": "VCID-dg61-tw4u-dbcc" }, { "vulnerability": "VCID-edq7-7ncc-mbfx" }, { "vulnerability": "VCID-eu4z-htaq-c3d6" }, { "vulnerability": "VCID-exan-4j3e-2qeh" }, { "vulnerability": "VCID-fdpc-runu-ekah" }, { "vulnerability": "VCID-j8fv-uhxw-jkcw" }, { "vulnerability": "VCID-p71t-er3d-9fdn" }, { "vulnerability": "VCID-pzke-4by2-w3hk" }, { "vulnerability": "VCID-q7nt-b3s9-9kf6" }, { "vulnerability": "VCID-r52t-hx1j-ufa1" }, { "vulnerability": "VCID-x2xm-hpc2-uubq" }, { "vulnerability": "VCID-z4jt-v88h-77er" }, { "vulnerability": "VCID-zwnj-revc-vbd6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/plone@4.3.12" }, { "url": "http://public2.vulnerablecode.io/api/packages/9625?format=api", "purl": "pkg:pypi/plone@5.0.7", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-29gf-82fr-k3h8" }, { "vulnerability": "VCID-5ry7-xy6b-5fag" }, { "vulnerability": "VCID-69ps-uetw-y3gf" }, { "vulnerability": "VCID-8rp3-p3qe-x7ej" }, { "vulnerability": "VCID-8wkk-84ky-17ak" }, { "vulnerability": "VCID-951j-w95x-83g8" }, { "vulnerability": "VCID-9gu8-dgkr-sua3" }, { "vulnerability": "VCID-ax8a-2g7j-6ya2" }, { "vulnerability": "VCID-basq-jjsf-3fbd" }, { "vulnerability": "VCID-bmwk-nutp-r3fs" }, { "vulnerability": "VCID-d42u-s7za-a3ad" }, { "vulnerability": "VCID-dg61-tw4u-dbcc" }, { "vulnerability": "VCID-edq7-7ncc-mbfx" }, { "vulnerability": "VCID-eu4z-htaq-c3d6" }, { "vulnerability": "VCID-exan-4j3e-2qeh" }, { "vulnerability": "VCID-fdpc-runu-ekah" }, { "vulnerability": "VCID-j8fv-uhxw-jkcw" }, { "vulnerability": "VCID-jvvz-bafs-t7gc" }, { "vulnerability": "VCID-p71t-er3d-9fdn" }, { "vulnerability": "VCID-pzke-4by2-w3hk" }, { "vulnerability": "VCID-q7nt-b3s9-9kf6" }, { "vulnerability": "VCID-r52t-hx1j-ufa1" }, { "vulnerability": "VCID-x2xm-hpc2-uubq" }, { "vulnerability": "VCID-z4jt-v88h-77er" }, { "vulnerability": "VCID-zwnj-revc-vbd6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/plone@5.0.7" } ], "aliases": [ "CVE-2016-7137", "GHSA-69vh-662j-v988", "PYSEC-2017-60" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ay85-551m-vfej" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/35798?format=api", "vulnerability_id": "VCID-basq-jjsf-3fbd", "summary": "Plone CMS until version 5.2.4 has a stored Cross-Site Scripting (XSS) vulnerability in the user fullname property and the file upload functionality. The user's input data is not properly encoded when being echoed back to the user. This data can be interpreted as executable code by the browser and allows an attacker to execute JavaScript in the context of the victim's browser if the victim opens a vulnerable page containing an XSS payload.", "references": [ { "reference_url": "https://plone.org/download/releases/5.2.3", "reference_id": "", "reference_type": "", "scores": [], "url": "https://plone.org/download/releases/5.2.3" }, { "reference_url": "https://plone.org/security/hotfix/20210518", "reference_id": "", "reference_type": "", "scores": [], "url": "https://plone.org/security/hotfix/20210518" }, { "reference_url": "https://www.compass-security.com/fileadmin/Research/Advisories/2021-07_CSNC-2021-013_XSS_in_Plone_CMS.txt", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.compass-security.com/fileadmin/Research/Advisories/2021-07_CSNC-2021-013_XSS_in_Plone_CMS.txt" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2021/05/22/1", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.openwall.com/lists/oss-security/2021/05/22/1" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/21990?format=api", "purl": "pkg:pypi/plone@5.2.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-29gf-82fr-k3h8" }, { "vulnerability": "VCID-ax8a-2g7j-6ya2" }, { "vulnerability": "VCID-d42u-s7za-a3ad" }, { "vulnerability": "VCID-eu4z-htaq-c3d6" }, { "vulnerability": "VCID-p71t-er3d-9fdn" }, { "vulnerability": "VCID-q7nt-b3s9-9kf6" }, { "vulnerability": "VCID-r52t-hx1j-ufa1" }, { "vulnerability": "VCID-x2xm-hpc2-uubq" }, { "vulnerability": "VCID-z4jt-v88h-77er" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/plone@5.2.4" } ], "aliases": [ "CVE-2021-3313", "PYSEC-2021-78" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-basq-jjsf-3fbd" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/35489?format=api", "vulnerability_id": "VCID-bmwk-nutp-r3fs", "summary": "SQL Injection in DTML or in connection objects in Plone 4.0 through 5.2.1 allows users to perform unwanted SQL queries. (This is a problem in Zope.)", "references": [ { "reference_url": "https://plone.org/security/hotfix/20200121", "reference_id": "", "reference_type": "", "scores": [], "url": "https://plone.org/security/hotfix/20200121" }, { "reference_url": "https://plone.org/security/hotfix/20200121/sql-injection-in-dtml-or-in-connection-objects", "reference_id": "", "reference_type": "", "scores": [], "url": "https://plone.org/security/hotfix/20200121/sql-injection-in-dtml-or-in-connection-objects" }, { "reference_url": "https://www.openwall.com/lists/oss-security/2020/01/22/1", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.openwall.com/lists/oss-security/2020/01/22/1" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2020/01/24/1", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.openwall.com/lists/oss-security/2020/01/24/1" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/14881?format=api", "purl": "pkg:pypi/plone@5.2.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-29gf-82fr-k3h8" }, { "vulnerability": "VCID-8rp3-p3qe-x7ej" }, { "vulnerability": "VCID-ax8a-2g7j-6ya2" }, { "vulnerability": "VCID-basq-jjsf-3fbd" }, { "vulnerability": "VCID-d42u-s7za-a3ad" }, { "vulnerability": "VCID-eu4z-htaq-c3d6" }, { "vulnerability": "VCID-exan-4j3e-2qeh" }, { "vulnerability": "VCID-fdpc-runu-ekah" }, { "vulnerability": "VCID-p71t-er3d-9fdn" }, { "vulnerability": "VCID-q7nt-b3s9-9kf6" }, { "vulnerability": "VCID-r52t-hx1j-ufa1" }, { "vulnerability": "VCID-x2xm-hpc2-uubq" }, { "vulnerability": "VCID-z4jt-v88h-77er" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/plone@5.2.2" } ], "aliases": [ "CVE-2020-7939", "PYSEC-2020-88" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-bmwk-nutp-r3fs" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/35117?format=api", "vulnerability_id": "VCID-cpwq-sq8b-4yhf", "summary": "Multiple cross-site request forgery (CSRF) vulnerabilities in Zope Management Interface 4.3.7 and earlier, and Plone before 5.x.", "references": [ { "reference_url": "http://packetstormsecurity.com/files/133889/Zope-Management-Interface-4.3.7-Cross-Site-Request-Forgery.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://packetstormsecurity.com/files/133889/Zope-Management-Interface-4.3.7-Cross-Site-Request-Forgery.html" }, { "reference_url": "https://plone.org/security/hotfix/20151006", "reference_id": "", "reference_type": "", "scores": [], "url": "https://plone.org/security/hotfix/20151006" }, { "reference_url": "https://pypi.python.org/pypi/plone4.csrffixes", "reference_id": "", "reference_type": "", "scores": [], "url": "https://pypi.python.org/pypi/plone4.csrffixes" }, { "reference_url": "https://www.exploit-db.com/exploits/38411/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.exploit-db.com/exploits/38411/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/9723?format=api", "purl": "pkg:pypi/plone@5.0a1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-6568-4ert-1bau" }, { "vulnerability": "VCID-69ps-uetw-y3gf" }, { "vulnerability": "VCID-8rp3-p3qe-x7ej" }, { "vulnerability": "VCID-8wkk-84ky-17ak" }, { "vulnerability": "VCID-9gu8-dgkr-sua3" }, { "vulnerability": "VCID-ax8a-2g7j-6ya2" }, { "vulnerability": "VCID-basq-jjsf-3fbd" }, { "vulnerability": "VCID-bmwk-nutp-r3fs" }, { "vulnerability": "VCID-d42u-s7za-a3ad" }, { "vulnerability": "VCID-d6hq-qfek-1bgu" }, { "vulnerability": "VCID-edq7-7ncc-mbfx" }, { "vulnerability": "VCID-eu4z-htaq-c3d6" }, { "vulnerability": "VCID-exan-4j3e-2qeh" }, { "vulnerability": "VCID-fdpc-runu-ekah" }, { "vulnerability": "VCID-h4kd-eh8g-gude" }, { "vulnerability": "VCID-j8fv-uhxw-jkcw" }, { "vulnerability": "VCID-p71t-er3d-9fdn" }, { "vulnerability": "VCID-pzke-4by2-w3hk" }, { "vulnerability": "VCID-q7nt-b3s9-9kf6" }, { "vulnerability": "VCID-r52t-hx1j-ufa1" }, { "vulnerability": "VCID-wuas-tkd4-rkd4" }, { "vulnerability": "VCID-x2xm-hpc2-uubq" }, { "vulnerability": "VCID-z4jt-v88h-77er" }, { "vulnerability": "VCID-zwnj-revc-vbd6" }, { "vulnerability": "VCID-zy2g-gzmk-1qcz" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/plone@5.0a1" } ], "aliases": [ "CVE-2015-7293", "PYSEC-2017-51" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-cpwq-sq8b-4yhf" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/35801?format=api", "vulnerability_id": "VCID-d42u-s7za-a3ad", "summary": "Plone though 5.2.4 allows SSRF via the lxml parser. This affects Diazo themes, Dexterity TTW schemas, and modeleditors in plone.app.theming, plone.app.dexterity, and plone.supermodel.", "references": [ { "reference_url": "https://github.com/advisories/GHSA-gc9g-67cq-p7v4", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-gc9g-67cq-p7v4" }, { "reference_url": "https://plone.org/security/hotfix/20210518/server-side-request-forgery-via-lxml-parser", "reference_id": "", "reference_type": "", "scores": [], "url": "https://plone.org/security/hotfix/20210518/server-side-request-forgery-via-lxml-parser" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2021/05/22/1", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.openwall.com/lists/oss-security/2021/05/22/1" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/22026?format=api", "purl": "pkg:pypi/plone@5.2.5", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/plone@5.2.5" } ], "aliases": [ "CVE-2021-33511", "GHSA-gc9g-67cq-p7v4", "PYSEC-2021-83" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-d42u-s7za-a3ad" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/35161?format=api", "vulnerability_id": "VCID-dg61-tw4u-dbcc", "summary": "When you visit a page where you need to login, Plone 2.5-5.1rc1 sends you to the login form with a 'came_from' parameter set to the previous url. After you login, you get redirected to the page you tried to view before. An attacker might try to abuse this by letting you click on a specially crafted link. You would login, and get redirected to the site of the attacker, letting you think that you are still on the original Plone site. Or some javascript of the attacker could be executed. Most of these types of attacks are already blocked by Plone, using the `isURLInPortal` check to make sure we only redirect to a page on the same Plone site. But a few more ways of tricking Plone into accepting a malicious link were discovered, and fixed with this hotfix.", "references": [ { "reference_url": "https://github.com/plone/Products.CMFPlone", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/plone/Products.CMFPlone" }, { "reference_url": "https://github.com/plone/Products.CMFPlone/commit/05a943ecbcdda56bacc93b55c9e2e908d8a7dfab", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/plone/Products.CMFPlone/commit/05a943ecbcdda56bacc93b55c9e2e908d8a7dfab" }, { "reference_url": "https://github.com/plone/Products.CMFPlone/commit/0e50e1e67ea3b6d3187f78cb1a1628081f654d3b", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/plone/Products.CMFPlone/commit/0e50e1e67ea3b6d3187f78cb1a1628081f654d3b" }, { "reference_url": "https://github.com/plone/Products.CMFPlone/commit/236b62b756ff46a92783b3897e717dfb15eb07d8", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/plone/Products.CMFPlone/commit/236b62b756ff46a92783b3897e717dfb15eb07d8" }, { "reference_url": "https://github.com/plone/Products.CMFPlone/commit/7db5b2c8fb684055987b8c4fdedc29289bd26373", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/plone/Products.CMFPlone/commit/7db5b2c8fb684055987b8c4fdedc29289bd26373" }, { "reference_url": "https://github.com/plone/Products.CMFPlone/issues/2232", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/plone/Products.CMFPlone/issues/2232" }, { "reference_url": "https://github.com/plone/Products.CMFPlone/pull/2233", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/plone/Products.CMFPlone/pull/2233" }, { "reference_url": "https://github.com/plone/Products.CMFPlone/pull/2234", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/plone/Products.CMFPlone/pull/2234" }, { "reference_url": "https://github.com/plone/Products.CMFPlone/pull/2235", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/plone/Products.CMFPlone/pull/2235" }, { "reference_url": "https://github.com/plone/Products.CMFPlone/pull/2236", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/plone/Products.CMFPlone/pull/2236" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/plone/PYSEC-2018-70.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/plone/PYSEC-2018-70.yaml" }, { "reference_url": "https://plone.org/security/hotfix/20171128/open-redirection-on-login-form", "reference_id": "", "reference_type": "", "scores": [], "url": "https://plone.org/security/hotfix/20171128/open-redirection-on-login-form" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000481", "reference_id": "CVE-2017-1000481", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000481" }, { "reference_url": "https://github.com/advisories/GHSA-8g72-gq68-6gqh", "reference_id": "GHSA-8g72-gq68-6gqh", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-8g72-gq68-6gqh" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/9718?format=api", "purl": "pkg:pypi/plone@4.3.16", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-8rp3-p3qe-x7ej" }, { "vulnerability": "VCID-8wkk-84ky-17ak" }, { "vulnerability": "VCID-9gu8-dgkr-sua3" }, { "vulnerability": "VCID-ax8a-2g7j-6ya2" }, { "vulnerability": "VCID-basq-jjsf-3fbd" }, { "vulnerability": "VCID-bmwk-nutp-r3fs" }, { "vulnerability": "VCID-cpwq-sq8b-4yhf" }, { "vulnerability": "VCID-d42u-s7za-a3ad" }, { "vulnerability": "VCID-edq7-7ncc-mbfx" }, { "vulnerability": "VCID-eu4z-htaq-c3d6" }, { "vulnerability": "VCID-exan-4j3e-2qeh" }, { "vulnerability": "VCID-fdpc-runu-ekah" }, { "vulnerability": "VCID-j8fv-uhxw-jkcw" }, { "vulnerability": "VCID-p71t-er3d-9fdn" }, { "vulnerability": "VCID-pzke-4by2-w3hk" }, { "vulnerability": "VCID-q7nt-b3s9-9kf6" }, { "vulnerability": "VCID-r52t-hx1j-ufa1" }, { "vulnerability": "VCID-x2xm-hpc2-uubq" }, { "vulnerability": "VCID-z4jt-v88h-77er" }, { "vulnerability": "VCID-zwnj-revc-vbd6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/plone@4.3.16" }, { "url": "http://public2.vulnerablecode.io/api/packages/10591?format=api", "purl": "pkg:pypi/plone@5.1.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-29gf-82fr-k3h8" }, { "vulnerability": "VCID-8rp3-p3qe-x7ej" }, { "vulnerability": "VCID-8wkk-84ky-17ak" }, { "vulnerability": "VCID-951j-w95x-83g8" }, { "vulnerability": "VCID-9gu8-dgkr-sua3" }, { "vulnerability": "VCID-ax8a-2g7j-6ya2" }, { "vulnerability": "VCID-basq-jjsf-3fbd" }, { "vulnerability": "VCID-bmwk-nutp-r3fs" }, { "vulnerability": "VCID-d42u-s7za-a3ad" }, { "vulnerability": "VCID-eu4z-htaq-c3d6" }, { "vulnerability": "VCID-exan-4j3e-2qeh" }, { "vulnerability": "VCID-fdpc-runu-ekah" }, { "vulnerability": "VCID-j8fv-uhxw-jkcw" }, { "vulnerability": "VCID-p71t-er3d-9fdn" }, { "vulnerability": "VCID-q7nt-b3s9-9kf6" }, { "vulnerability": "VCID-r52t-hx1j-ufa1" }, { "vulnerability": "VCID-x2xm-hpc2-uubq" }, { "vulnerability": "VCID-z4jt-v88h-77er" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/plone@5.1.0" } ], "aliases": [ "CVE-2017-1000481", "GHSA-8g72-gq68-6gqh", "PYSEC-2018-70" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-dg61-tw4u-dbcc" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/35164?format=api", "vulnerability_id": "VCID-edq7-7ncc-mbfx", "summary": "By linking to a specific url in Plone 2.5-5.1rc1 with a parameter, an attacker could send you to his own website. On its own this is not so bad: the attacker could more easily link directly to his own website instead. But in combination with another attack, you could be sent to the Plone login form and login, then get redirected to the specific url, and then get a second redirect to the attacker website. (The specific url can be seen by inspecting the hotfix code, but we don't want to make it too easy for attackers by spelling it out here.)", "references": [ { "reference_url": "https://github.com/advisories/GHSA-xvwv-6wvx-px9x", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-xvwv-6wvx-px9x" }, { "reference_url": "https://github.com/plone/Plone", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/plone/Plone" }, { "reference_url": "https://github.com/plone/Products.CMFPlone/issues/2232", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/plone/Products.CMFPlone/issues/2232" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/plone/PYSEC-2018-73.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/plone/PYSEC-2018-73.yaml" }, { "reference_url": "https://plone.org/security/hotfix/20171128/an-open-redirection-when-calling-a-specific-url", "reference_id": "", "reference_type": "", "scores": [], "url": "https://plone.org/security/hotfix/20171128/an-open-redirection-when-calling-a-specific-url" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000484", "reference_id": "CVE-2017-1000484", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000484" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/9718?format=api", "purl": "pkg:pypi/plone@4.3.16", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-8rp3-p3qe-x7ej" }, { "vulnerability": "VCID-8wkk-84ky-17ak" }, { "vulnerability": "VCID-9gu8-dgkr-sua3" }, { "vulnerability": "VCID-ax8a-2g7j-6ya2" }, { "vulnerability": "VCID-basq-jjsf-3fbd" }, { "vulnerability": "VCID-bmwk-nutp-r3fs" }, { "vulnerability": "VCID-cpwq-sq8b-4yhf" }, { "vulnerability": "VCID-d42u-s7za-a3ad" }, { "vulnerability": "VCID-edq7-7ncc-mbfx" }, { "vulnerability": "VCID-eu4z-htaq-c3d6" }, { "vulnerability": "VCID-exan-4j3e-2qeh" }, { "vulnerability": "VCID-fdpc-runu-ekah" }, { "vulnerability": "VCID-j8fv-uhxw-jkcw" }, { "vulnerability": "VCID-p71t-er3d-9fdn" }, { "vulnerability": "VCID-pzke-4by2-w3hk" }, { "vulnerability": "VCID-q7nt-b3s9-9kf6" }, { "vulnerability": "VCID-r52t-hx1j-ufa1" }, { "vulnerability": "VCID-x2xm-hpc2-uubq" }, { "vulnerability": "VCID-z4jt-v88h-77er" }, { "vulnerability": "VCID-zwnj-revc-vbd6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/plone@4.3.16" }, { "url": "http://public2.vulnerablecode.io/api/packages/10591?format=api", "purl": "pkg:pypi/plone@5.1.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-29gf-82fr-k3h8" }, { "vulnerability": "VCID-8rp3-p3qe-x7ej" }, { "vulnerability": "VCID-8wkk-84ky-17ak" }, { "vulnerability": "VCID-951j-w95x-83g8" }, { "vulnerability": "VCID-9gu8-dgkr-sua3" }, { "vulnerability": "VCID-ax8a-2g7j-6ya2" }, { "vulnerability": "VCID-basq-jjsf-3fbd" }, { "vulnerability": "VCID-bmwk-nutp-r3fs" }, { "vulnerability": "VCID-d42u-s7za-a3ad" }, { "vulnerability": "VCID-eu4z-htaq-c3d6" }, { "vulnerability": "VCID-exan-4j3e-2qeh" }, { "vulnerability": "VCID-fdpc-runu-ekah" }, { "vulnerability": "VCID-j8fv-uhxw-jkcw" }, { "vulnerability": "VCID-p71t-er3d-9fdn" }, { "vulnerability": "VCID-q7nt-b3s9-9kf6" }, { "vulnerability": "VCID-r52t-hx1j-ufa1" }, { "vulnerability": "VCID-x2xm-hpc2-uubq" }, { "vulnerability": "VCID-z4jt-v88h-77er" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/plone@5.1.0" } ], "aliases": [ "CVE-2017-1000484", "GHSA-xvwv-6wvx-px9x", "PYSEC-2018-73" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-edq7-7ncc-mbfx" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/35800?format=api", "vulnerability_id": "VCID-eu4z-htaq-c3d6", "summary": "Plone through 5.2.4 allows remote authenticated managers to conduct SSRF attacks via an event ical URL, to read one line of a file.", "references": [ { "reference_url": "https://github.com/advisories/GHSA-4mg4-wvmx-5332", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-4mg4-wvmx-5332" }, { "reference_url": "https://plone.org/security/hotfix/20210518/server-side-request-forgery-via-event-ical-url", "reference_id": "", "reference_type": "", "scores": [], "url": "https://plone.org/security/hotfix/20210518/server-side-request-forgery-via-event-ical-url" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2021/05/22/1", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.openwall.com/lists/oss-security/2021/05/22/1" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/22026?format=api", "purl": "pkg:pypi/plone@5.2.5", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/plone@5.2.5" } ], "aliases": [ "CVE-2021-33510", "GHSA-4mg4-wvmx-5332", "PYSEC-2021-82" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-eu4z-htaq-c3d6" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/35701?format=api", "vulnerability_id": "VCID-exan-4j3e-2qeh", "summary": "Plone before 5.2.3 allows XXE attacks via a feature that is explicitly only available to the Manager role.", "references": [ { "reference_url": "https://dist.plone.org/release/5.2.3/RELEASE-NOTES.txt", "reference_id": "", "reference_type": "", "scores": [], "url": "https://dist.plone.org/release/5.2.3/RELEASE-NOTES.txt" }, { "reference_url": "https://github.com/advisories/GHSA-wq6x-g685-w5f2", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-wq6x-g685-w5f2" }, { "reference_url": "https://github.com/plone/Products.CMFPlone/issues/3209", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/plone/Products.CMFPlone/issues/3209" }, { "reference_url": "https://www.misakikata.com/codes/plone/python-en.html", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.misakikata.com/codes/plone/python-en.html" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/19507?format=api", "purl": "pkg:pypi/plone@5.2.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-29gf-82fr-k3h8" }, { "vulnerability": "VCID-ax8a-2g7j-6ya2" }, { "vulnerability": "VCID-basq-jjsf-3fbd" }, { "vulnerability": "VCID-d42u-s7za-a3ad" }, { "vulnerability": "VCID-eu4z-htaq-c3d6" }, { "vulnerability": "VCID-p71t-er3d-9fdn" }, { "vulnerability": "VCID-q7nt-b3s9-9kf6" }, { "vulnerability": "VCID-r52t-hx1j-ufa1" }, { "vulnerability": "VCID-x2xm-hpc2-uubq" }, { "vulnerability": "VCID-z4jt-v88h-77er" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/plone@5.2.3" } ], "aliases": [ "CVE-2020-28734", "GHSA-wq6x-g685-w5f2", "PYSEC-2020-246" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-exan-4j3e-2qeh" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/35700?format=api", "vulnerability_id": "VCID-fdpc-runu-ekah", "summary": "Plone before 5.2.3 allows SSRF attacks via the tracebacks feature (only available to the Manager role).", "references": [ { "reference_url": "https://dist.plone.org/release/5.2.3/RELEASE-NOTES.txt", "reference_id": "", "reference_type": "", "scores": [], "url": "https://dist.plone.org/release/5.2.3/RELEASE-NOTES.txt" }, { "reference_url": "https://github.com/advisories/GHSA-x7wf-5mjc-6x76", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-x7wf-5mjc-6x76" }, { "reference_url": "https://github.com/plone/Products.CMFPlone/issues/3209", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/plone/Products.CMFPlone/issues/3209" }, { "reference_url": "https://www.misakikata.com/codes/plone/python-en.html", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.misakikata.com/codes/plone/python-en.html" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/19507?format=api", "purl": "pkg:pypi/plone@5.2.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-29gf-82fr-k3h8" }, { "vulnerability": "VCID-ax8a-2g7j-6ya2" }, { "vulnerability": "VCID-basq-jjsf-3fbd" }, { "vulnerability": "VCID-d42u-s7za-a3ad" }, { "vulnerability": "VCID-eu4z-htaq-c3d6" }, { "vulnerability": "VCID-p71t-er3d-9fdn" }, { "vulnerability": "VCID-q7nt-b3s9-9kf6" }, { "vulnerability": "VCID-r52t-hx1j-ufa1" }, { "vulnerability": "VCID-x2xm-hpc2-uubq" }, { "vulnerability": "VCID-z4jt-v88h-77er" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/plone@5.2.3" } ], "aliases": [ "CVE-2020-28735", "GHSA-x7wf-5mjc-6x76", "PYSEC-2020-247" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-fdpc-runu-ekah" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/35022?format=api", "vulnerability_id": "VCID-hhux-xufk-ube2", "summary": "Cross-site scripting (XSS) vulnerability in the manage_findResult component in the search feature in Zope ZMI in Plone before 4.3.12 and 5.x before 5.0.7 allows remote attackers to inject arbitrary web script or HTML via vectors involving double quotes, as demonstrated by the obj_ids:tokens parameter. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-7140.", "references": [ { "reference_url": "https://plone.org/security/hotfix/20170117", "reference_id": "", "reference_type": "", "scores": [], "url": "https://plone.org/security/hotfix/20170117" }, { "reference_url": "https://plone.org/security/hotfix/20170117/non-persistent-xss-in-zope2", "reference_id": "", "reference_type": "", "scores": [], "url": "https://plone.org/security/hotfix/20170117/non-persistent-xss-in-zope2" }, { "reference_url": "https://www.curesec.com/blog/article/blog/Plone-XSS-186.html", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.curesec.com/blog/article/blog/Plone-XSS-186.html" }, { "reference_url": "http://www.securityfocus.com/bid/96117", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.securityfocus.com/bid/96117" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/9624?format=api", "purl": "pkg:pypi/plone@4.3.12", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5ry7-xy6b-5fag" }, { "vulnerability": "VCID-69ps-uetw-y3gf" }, { "vulnerability": "VCID-8rp3-p3qe-x7ej" }, { "vulnerability": "VCID-8wkk-84ky-17ak" }, { "vulnerability": "VCID-9gu8-dgkr-sua3" }, { "vulnerability": "VCID-ax8a-2g7j-6ya2" }, { "vulnerability": "VCID-basq-jjsf-3fbd" }, { "vulnerability": "VCID-bmwk-nutp-r3fs" }, { "vulnerability": "VCID-cpwq-sq8b-4yhf" }, { "vulnerability": "VCID-d42u-s7za-a3ad" }, { "vulnerability": "VCID-dg61-tw4u-dbcc" }, { "vulnerability": "VCID-edq7-7ncc-mbfx" }, { "vulnerability": "VCID-eu4z-htaq-c3d6" }, { "vulnerability": "VCID-exan-4j3e-2qeh" }, { "vulnerability": "VCID-fdpc-runu-ekah" }, { "vulnerability": "VCID-j8fv-uhxw-jkcw" }, { "vulnerability": "VCID-p71t-er3d-9fdn" }, { "vulnerability": "VCID-pzke-4by2-w3hk" }, { "vulnerability": "VCID-q7nt-b3s9-9kf6" }, { "vulnerability": "VCID-r52t-hx1j-ufa1" }, { "vulnerability": "VCID-x2xm-hpc2-uubq" }, { "vulnerability": "VCID-z4jt-v88h-77er" }, { "vulnerability": "VCID-zwnj-revc-vbd6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/plone@4.3.12" }, { "url": "http://public2.vulnerablecode.io/api/packages/9625?format=api", "purl": "pkg:pypi/plone@5.0.7", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-29gf-82fr-k3h8" }, { "vulnerability": "VCID-5ry7-xy6b-5fag" }, { "vulnerability": "VCID-69ps-uetw-y3gf" }, { "vulnerability": "VCID-8rp3-p3qe-x7ej" }, { "vulnerability": "VCID-8wkk-84ky-17ak" }, { "vulnerability": "VCID-951j-w95x-83g8" }, { "vulnerability": "VCID-9gu8-dgkr-sua3" }, { "vulnerability": "VCID-ax8a-2g7j-6ya2" }, { "vulnerability": "VCID-basq-jjsf-3fbd" }, { "vulnerability": "VCID-bmwk-nutp-r3fs" }, { "vulnerability": "VCID-d42u-s7za-a3ad" }, { "vulnerability": "VCID-dg61-tw4u-dbcc" }, { "vulnerability": "VCID-edq7-7ncc-mbfx" }, { "vulnerability": "VCID-eu4z-htaq-c3d6" }, { "vulnerability": "VCID-exan-4j3e-2qeh" }, { "vulnerability": "VCID-fdpc-runu-ekah" }, { "vulnerability": "VCID-j8fv-uhxw-jkcw" }, { "vulnerability": "VCID-jvvz-bafs-t7gc" }, { "vulnerability": "VCID-p71t-er3d-9fdn" }, { "vulnerability": "VCID-pzke-4by2-w3hk" }, { "vulnerability": "VCID-q7nt-b3s9-9kf6" }, { "vulnerability": "VCID-r52t-hx1j-ufa1" }, { "vulnerability": "VCID-x2xm-hpc2-uubq" }, { "vulnerability": "VCID-z4jt-v88h-77er" }, { "vulnerability": "VCID-zwnj-revc-vbd6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/plone@5.0.7" } ], "aliases": [ "CVE-2016-7147", "PYSEC-2017-64" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-hhux-xufk-ube2" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/35032?format=api", "vulnerability_id": "VCID-mn7t-zgfw-tqfw", "summary": "Directory traversal vulnerability in Plone CMS 5.x through 5.0.6 and 4.2.x through 4.3.11 allows remote administrators to read arbitrary files via a .. (dot dot) in the path parameter in a getFile action to Plone/++theme++barceloneta/@@plone.resourceeditor.filemanager-actions.", "references": [ { "reference_url": "http://packetstormsecurity.com/files/139110/Plone-CMS-4.3.11-5.0.6-XSS-Traversal-Open-Redirection.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://packetstormsecurity.com/files/139110/Plone-CMS-4.3.11-5.0.6-XSS-Traversal-Open-Redirection.html" }, { "reference_url": "http://seclists.org/fulldisclosure/2016/Oct/80", "reference_id": "", "reference_type": "", "scores": [], "url": "http://seclists.org/fulldisclosure/2016/Oct/80" }, { "reference_url": "https://github.com/plone/Plone", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/plone/Plone" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/plone/PYSEC-2017-58.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/plone/PYSEC-2017-58.yaml" }, { "reference_url": "https://plone.org/security/hotfix/20160830/filesystem-information-leak", "reference_id": "", "reference_type": "", "scores": [], "url": "https://plone.org/security/hotfix/20160830/filesystem-information-leak" }, { "reference_url": "https://pypi.org/project/Products.PloneHotfix20160830", "reference_id": "", "reference_type": "", "scores": [], "url": "https://pypi.org/project/Products.PloneHotfix20160830" }, { "reference_url": "https://web.archive.org/web/20200227230348/http://www.securityfocus.com/bid/92752", "reference_id": "", "reference_type": "", "scores": [], "url": "https://web.archive.org/web/20200227230348/http://www.securityfocus.com/bid/92752" }, { "reference_url": "https://web.archive.org/web/20201207134911/http://www.securityfocus.com/archive/1/539572/100/0/threaded", "reference_id": "", "reference_type": "", "scores": [], "url": "https://web.archive.org/web/20201207134911/http://www.securityfocus.com/archive/1/539572/100/0/threaded" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2016/09/05/4", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.openwall.com/lists/oss-security/2016/09/05/4" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2016/09/05/5", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.openwall.com/lists/oss-security/2016/09/05/5" }, { "reference_url": "http://www.securityfocus.com/archive/1/539572/100/0/threaded", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.securityfocus.com/archive/1/539572/100/0/threaded" }, { "reference_url": "http://www.securityfocus.com/bid/92752", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.securityfocus.com/bid/92752" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2016-7135", "reference_id": "CVE-2016-7135", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-7135" }, { "reference_url": "https://github.com/advisories/GHSA-m7f9-65wr-pwch", "reference_id": "GHSA-m7f9-65wr-pwch", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-m7f9-65wr-pwch" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/9624?format=api", "purl": "pkg:pypi/plone@4.3.12", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5ry7-xy6b-5fag" }, { "vulnerability": "VCID-69ps-uetw-y3gf" }, { "vulnerability": "VCID-8rp3-p3qe-x7ej" }, { "vulnerability": "VCID-8wkk-84ky-17ak" }, { "vulnerability": "VCID-9gu8-dgkr-sua3" }, { "vulnerability": "VCID-ax8a-2g7j-6ya2" }, { "vulnerability": "VCID-basq-jjsf-3fbd" }, { "vulnerability": "VCID-bmwk-nutp-r3fs" }, { "vulnerability": "VCID-cpwq-sq8b-4yhf" }, { "vulnerability": "VCID-d42u-s7za-a3ad" }, { "vulnerability": "VCID-dg61-tw4u-dbcc" }, { "vulnerability": "VCID-edq7-7ncc-mbfx" }, { "vulnerability": "VCID-eu4z-htaq-c3d6" }, { "vulnerability": "VCID-exan-4j3e-2qeh" }, { "vulnerability": "VCID-fdpc-runu-ekah" }, { "vulnerability": "VCID-j8fv-uhxw-jkcw" }, { "vulnerability": "VCID-p71t-er3d-9fdn" }, { "vulnerability": "VCID-pzke-4by2-w3hk" }, { "vulnerability": "VCID-q7nt-b3s9-9kf6" }, { "vulnerability": "VCID-r52t-hx1j-ufa1" }, { "vulnerability": "VCID-x2xm-hpc2-uubq" }, { "vulnerability": "VCID-z4jt-v88h-77er" }, { "vulnerability": "VCID-zwnj-revc-vbd6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/plone@4.3.12" }, { "url": "http://public2.vulnerablecode.io/api/packages/9625?format=api", "purl": "pkg:pypi/plone@5.0.7", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-29gf-82fr-k3h8" }, { "vulnerability": "VCID-5ry7-xy6b-5fag" }, { "vulnerability": "VCID-69ps-uetw-y3gf" }, { "vulnerability": "VCID-8rp3-p3qe-x7ej" }, { "vulnerability": "VCID-8wkk-84ky-17ak" }, { "vulnerability": "VCID-951j-w95x-83g8" }, { "vulnerability": "VCID-9gu8-dgkr-sua3" }, { "vulnerability": "VCID-ax8a-2g7j-6ya2" }, { "vulnerability": "VCID-basq-jjsf-3fbd" }, { "vulnerability": "VCID-bmwk-nutp-r3fs" }, { "vulnerability": "VCID-d42u-s7za-a3ad" }, { "vulnerability": "VCID-dg61-tw4u-dbcc" }, { "vulnerability": "VCID-edq7-7ncc-mbfx" }, { "vulnerability": "VCID-eu4z-htaq-c3d6" }, { "vulnerability": "VCID-exan-4j3e-2qeh" }, { "vulnerability": "VCID-fdpc-runu-ekah" }, { "vulnerability": "VCID-j8fv-uhxw-jkcw" }, { "vulnerability": "VCID-jvvz-bafs-t7gc" }, { "vulnerability": "VCID-p71t-er3d-9fdn" }, { "vulnerability": "VCID-pzke-4by2-w3hk" }, { "vulnerability": "VCID-q7nt-b3s9-9kf6" }, { "vulnerability": "VCID-r52t-hx1j-ufa1" }, { "vulnerability": "VCID-x2xm-hpc2-uubq" }, { "vulnerability": "VCID-z4jt-v88h-77er" }, { "vulnerability": "VCID-zwnj-revc-vbd6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/plone@5.0.7" } ], "aliases": [ "CVE-2016-7135", "GHSA-m7f9-65wr-pwch", "PYSEC-2017-58" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-mn7t-zgfw-tqfw" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/34873?format=api", "vulnerability_id": "VCID-n4nh-4rq4-r7hx", "summary": "Products/CMFPlone/FactoryTool.py in Plone 3.3 through 4.3.2 allows remote attackers to obtain the installation path via vectors related to a file object for unspecified documentation which is initialized in class scope.", "references": [ { "reference_url": "https://plone.org/security/20131210/path-leak", "reference_id": "", "reference_type": "", "scores": [], "url": "https://plone.org/security/20131210/path-leak" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2013/12/10/15", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.openwall.com/lists/oss-security/2013/12/10/15" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2013/12/12/3", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.openwall.com/lists/oss-security/2013/12/12/3" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/8152?format=api", "purl": "pkg:pypi/plone@4.3.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-17w2-gd3m-2qff" }, { "vulnerability": "VCID-5n6e-cha8-nyb8" }, { "vulnerability": "VCID-5ry7-xy6b-5fag" }, { "vulnerability": "VCID-6568-4ert-1bau" }, { "vulnerability": "VCID-69ps-uetw-y3gf" }, { "vulnerability": "VCID-8rp3-p3qe-x7ej" }, { "vulnerability": "VCID-8wkk-84ky-17ak" }, { "vulnerability": "VCID-9gu8-dgkr-sua3" }, { "vulnerability": "VCID-ax8a-2g7j-6ya2" }, { "vulnerability": "VCID-ay85-551m-vfej" }, { "vulnerability": "VCID-basq-jjsf-3fbd" }, { "vulnerability": "VCID-bmwk-nutp-r3fs" }, { "vulnerability": "VCID-cpwq-sq8b-4yhf" }, { "vulnerability": "VCID-d42u-s7za-a3ad" }, { "vulnerability": "VCID-dg61-tw4u-dbcc" }, { "vulnerability": "VCID-edq7-7ncc-mbfx" }, { "vulnerability": "VCID-eu4z-htaq-c3d6" }, { "vulnerability": "VCID-exan-4j3e-2qeh" }, { "vulnerability": "VCID-fdpc-runu-ekah" }, { "vulnerability": "VCID-h4kd-eh8g-gude" }, { "vulnerability": "VCID-hhux-xufk-ube2" }, { "vulnerability": "VCID-j8fv-uhxw-jkcw" }, { "vulnerability": "VCID-mn7t-zgfw-tqfw" }, { "vulnerability": "VCID-p71t-er3d-9fdn" }, { "vulnerability": "VCID-pzke-4by2-w3hk" }, { "vulnerability": "VCID-q7nt-b3s9-9kf6" }, { "vulnerability": "VCID-r52t-hx1j-ufa1" }, { "vulnerability": "VCID-wuas-tkd4-rkd4" }, { "vulnerability": "VCID-x2xm-hpc2-uubq" }, { "vulnerability": "VCID-yfkz-3xu3-vyc9" }, { "vulnerability": "VCID-z4jt-v88h-77er" }, { "vulnerability": "VCID-zwnj-revc-vbd6" }, { "vulnerability": "VCID-zy2g-gzmk-1qcz" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/plone@4.3.3" } ], "aliases": [ "CVE-2013-7060", "PYSEC-2014-65", "PYSEC-2014-67" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-n4nh-4rq4-r7hx" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/35805?format=api", "vulnerability_id": "VCID-p71t-er3d-9fdn", "summary": "Plone through 5.2.4 allows stored XSS attacks (by a Contributor) by uploading an SVG or HTML document.", "references": [ { "reference_url": "https://github.com/advisories/GHSA-hm2h-f456-6j88", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-hm2h-f456-6j88" }, { "reference_url": "https://plone.org/security/hotfix/20210518/stored-xss-from-file-upload-svg-html", "reference_id": "", "reference_type": "", "scores": [], "url": "https://plone.org/security/hotfix/20210518/stored-xss-from-file-upload-svg-html" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2021/05/22/1", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.openwall.com/lists/oss-security/2021/05/22/1" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/22026?format=api", "purl": "pkg:pypi/plone@5.2.5", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/plone@5.2.5" } ], "aliases": [ "CVE-2021-33512", "GHSA-hm2h-f456-6j88", "PYSEC-2021-84" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-p71t-er3d-9fdn" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/35030?format=api", "vulnerability_id": "VCID-pzke-4by2-w3hk", "summary": "Plone 3.3 through 5.1a1 allows remote attackers to obtain information about the ID of sensitive content via unspecified vectors.", "references": [ { "reference_url": "https://plone.org/security/hotfix/20160419/unauthorized-disclosure-of-site-content", "reference_id": "", "reference_type": "", "scores": [], "url": "https://plone.org/security/hotfix/20160419/unauthorized-disclosure-of-site-content" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2016/04/20/2", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.openwall.com/lists/oss-security/2016/04/20/2" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/9714?format=api", "purl": "pkg:pypi/plone@5.1a2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-29gf-82fr-k3h8" }, { "vulnerability": "VCID-5ry7-xy6b-5fag" }, { "vulnerability": "VCID-69ps-uetw-y3gf" }, { "vulnerability": "VCID-8rp3-p3qe-x7ej" }, { "vulnerability": "VCID-8wkk-84ky-17ak" }, { "vulnerability": "VCID-951j-w95x-83g8" }, { "vulnerability": "VCID-9gu8-dgkr-sua3" }, { "vulnerability": "VCID-ax8a-2g7j-6ya2" }, { "vulnerability": "VCID-basq-jjsf-3fbd" }, { "vulnerability": "VCID-bmwk-nutp-r3fs" }, { "vulnerability": "VCID-d42u-s7za-a3ad" }, { "vulnerability": "VCID-dg61-tw4u-dbcc" }, { "vulnerability": "VCID-edq7-7ncc-mbfx" }, { "vulnerability": "VCID-eu4z-htaq-c3d6" }, { "vulnerability": "VCID-exan-4j3e-2qeh" }, { "vulnerability": "VCID-fdpc-runu-ekah" }, { "vulnerability": "VCID-j8fv-uhxw-jkcw" }, { "vulnerability": "VCID-p71t-er3d-9fdn" }, { "vulnerability": "VCID-q7nt-b3s9-9kf6" }, { "vulnerability": "VCID-r52t-hx1j-ufa1" }, { "vulnerability": "VCID-x2xm-hpc2-uubq" }, { "vulnerability": "VCID-z4jt-v88h-77er" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/plone@5.1a2" } ], "aliases": [ "CVE-2016-4042", "PYSEC-2017-56" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-pzke-4by2-w3hk" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/35804?format=api", "vulnerability_id": "VCID-q7nt-b3s9-9kf6", "summary": "Zope Products.CMFCore before 2.5.1 and Products.PluggableAuthService before 2.6.2, as used in Plone through 5.2.4 and other products, allow Reflected XSS.", "references": [ { "reference_url": "https://github.com/advisories/GHSA-35rg-466w-77h3", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-35rg-466w-77h3" }, { "reference_url": "https://plone.org/security/hotfix/20210518/reflected-xss-in-various-spots", "reference_id": "", "reference_type": "", "scores": [], "url": "https://plone.org/security/hotfix/20210518/reflected-xss-in-various-spots" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2021/05/22/1", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.openwall.com/lists/oss-security/2021/05/22/1" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/22026?format=api", "purl": "pkg:pypi/plone@5.2.5", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/plone@5.2.5" } ], "aliases": [ "CVE-2021-33507", "GHSA-35rg-466w-77h3", "PYSEC-2021-79" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-q7nt-b3s9-9kf6" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/35802?format=api", "vulnerability_id": "VCID-r52t-hx1j-ufa1", "summary": "Plone through 5.2.4 allows XSS via a full name that is mishandled during rendering of the ownership tab of a content item.", "references": [ { "reference_url": "https://github.com/advisories/GHSA-rmpv-rcp6-v8wc", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-rmpv-rcp6-v8wc" }, { "reference_url": "https://plone.org/security/hotfix/20210518/stored-xss-from-user-fullname", "reference_id": "", "reference_type": "", "scores": [], "url": "https://plone.org/security/hotfix/20210518/stored-xss-from-user-fullname" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2021/05/22/1", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.openwall.com/lists/oss-security/2021/05/22/1" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/22026?format=api", "purl": "pkg:pypi/plone@5.2.5", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/plone@5.2.5" } ], "aliases": [ "CVE-2021-33508", "GHSA-rmpv-rcp6-v8wc", "PYSEC-2021-80" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-r52t-hx1j-ufa1" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/34872?format=api", "vulnerability_id": "VCID-w2mv-zekv-8fcv", "summary": "Products/CMFPlone/CatalogTool.py in Plone 3.3 through 4.3.2 allows remote administrators to bypass restrictions and obtain sensitive information via an unspecified search API.", "references": [ { "reference_url": "https://github.com/plone/Products.CMFPlone", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/plone/Products.CMFPlone" }, { "reference_url": "https://github.com/plone/Products.CMFPlone/commit/a6a3e50f759da7e7ca46e50777a35e51f4d8ed48", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/plone/Products.CMFPlone/commit/a6a3e50f759da7e7ca46e50777a35e51f4d8ed48" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/plone/PYSEC-2014-66.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/plone/PYSEC-2014-66.yaml" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/products-cmfplone/PYSEC-2014-68.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/products-cmfplone/PYSEC-2014-68.yaml" }, { "reference_url": "https://plone.org/security/20131210/catalogue-exposure", "reference_id": "", "reference_type": "", "scores": [], "url": "https://plone.org/security/20131210/catalogue-exposure" }, { "reference_url": "https://pypi.org/project/Products.PloneHotfix20131210", "reference_id": "", "reference_type": "", "scores": [], "url": "https://pypi.org/project/Products.PloneHotfix20131210" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2013/12/10/15", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.openwall.com/lists/oss-security/2013/12/10/15" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2013/12/12/3", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.openwall.com/lists/oss-security/2013/12/12/3" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2013-7061", "reference_id": "CVE-2013-7061", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-7061" }, { "reference_url": "https://github.com/advisories/GHSA-4vr8-r7qr-fpvq", "reference_id": "GHSA-4vr8-r7qr-fpvq", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-4vr8-r7qr-fpvq" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/8152?format=api", "purl": "pkg:pypi/plone@4.3.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-17w2-gd3m-2qff" }, { "vulnerability": "VCID-5n6e-cha8-nyb8" }, { "vulnerability": "VCID-5ry7-xy6b-5fag" }, { "vulnerability": "VCID-6568-4ert-1bau" }, { "vulnerability": "VCID-69ps-uetw-y3gf" }, { "vulnerability": "VCID-8rp3-p3qe-x7ej" }, { "vulnerability": "VCID-8wkk-84ky-17ak" }, { "vulnerability": "VCID-9gu8-dgkr-sua3" }, { "vulnerability": "VCID-ax8a-2g7j-6ya2" }, { "vulnerability": "VCID-ay85-551m-vfej" }, { "vulnerability": "VCID-basq-jjsf-3fbd" }, { "vulnerability": "VCID-bmwk-nutp-r3fs" }, { "vulnerability": "VCID-cpwq-sq8b-4yhf" }, { "vulnerability": "VCID-d42u-s7za-a3ad" }, { "vulnerability": "VCID-dg61-tw4u-dbcc" }, { "vulnerability": "VCID-edq7-7ncc-mbfx" }, { "vulnerability": "VCID-eu4z-htaq-c3d6" }, { "vulnerability": "VCID-exan-4j3e-2qeh" }, { "vulnerability": "VCID-fdpc-runu-ekah" }, { "vulnerability": "VCID-h4kd-eh8g-gude" }, { "vulnerability": "VCID-hhux-xufk-ube2" }, { "vulnerability": "VCID-j8fv-uhxw-jkcw" }, { "vulnerability": "VCID-mn7t-zgfw-tqfw" }, { "vulnerability": "VCID-p71t-er3d-9fdn" }, { "vulnerability": "VCID-pzke-4by2-w3hk" }, { "vulnerability": "VCID-q7nt-b3s9-9kf6" }, { "vulnerability": "VCID-r52t-hx1j-ufa1" }, { "vulnerability": "VCID-wuas-tkd4-rkd4" }, { "vulnerability": "VCID-x2xm-hpc2-uubq" }, { "vulnerability": "VCID-yfkz-3xu3-vyc9" }, { "vulnerability": "VCID-z4jt-v88h-77er" }, { "vulnerability": "VCID-zwnj-revc-vbd6" }, { "vulnerability": "VCID-zy2g-gzmk-1qcz" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/plone@4.3.3" } ], "aliases": [ "CVE-2013-7061", "GHSA-4vr8-r7qr-fpvq", "PYSEC-2014-66", "PYSEC-2014-68" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-w2mv-zekv-8fcv" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/35803?format=api", "vulnerability_id": "VCID-x2xm-hpc2-uubq", "summary": "Plone through 5.2.4 allows remote authenticated managers to perform disk I/O via crafted keyword arguments to the ReStructuredText transform in a Python script.", "references": [ { "reference_url": "https://github.com/advisories/GHSA-hm2p-fhwx-9285", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-hm2p-fhwx-9285" }, { "reference_url": "https://plone.org/security/hotfix/20210518/writing-arbitrary-files-via-docutils-and-python-script", "reference_id": "", "reference_type": "", "scores": [], "url": "https://plone.org/security/hotfix/20210518/writing-arbitrary-files-via-docutils-and-python-script" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2021/05/22/1", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.openwall.com/lists/oss-security/2021/05/22/1" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/22026?format=api", "purl": "pkg:pypi/plone@5.2.5", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/plone@5.2.5" } ], "aliases": [ "CVE-2021-33509", "GHSA-hm2p-fhwx-9285", "PYSEC-2021-81" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-x2xm-hpc2-uubq" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/35034?format=api", "vulnerability_id": "VCID-yfkz-3xu3-vyc9", "summary": "Cross-site scripting (XSS) vulnerability in an unspecified page template in Plone CMS 5.x through 5.0.6, 4.x through 4.3.11, and 3.3.x through 3.3.6 allows remote attackers to inject arbitrary web script or HTML via unknown vectors.", "references": [ { "reference_url": "http://packetstormsecurity.com/files/139110/Plone-CMS-4.3.11-5.0.6-XSS-Traversal-Open-Redirection.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://packetstormsecurity.com/files/139110/Plone-CMS-4.3.11-5.0.6-XSS-Traversal-Open-Redirection.html" }, { "reference_url": "http://seclists.org/fulldisclosure/2016/Oct/80", "reference_id": "", "reference_type": "", "scores": [], "url": "http://seclists.org/fulldisclosure/2016/Oct/80" }, { "reference_url": "https://github.com/plone/Plone", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/plone/Plone" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/plone/PYSEC-2017-62.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/plone/PYSEC-2017-62.yaml" }, { "reference_url": "https://plone.org/security/hotfix/20160830/non-persistent-xss-in-plone", "reference_id": "", "reference_type": "", "scores": [], "url": "https://plone.org/security/hotfix/20160830/non-persistent-xss-in-plone" }, { "reference_url": "https://web.archive.org/web/20201207134910/http://www.securityfocus.com/bid/92752", "reference_id": "", "reference_type": "", "scores": [], "url": "https://web.archive.org/web/20201207134910/http://www.securityfocus.com/bid/92752" }, { "reference_url": "https://web.archive.org/web/20201207134911/http://www.securityfocus.com/archive/1/539572/100/0/threaded", "reference_id": "", "reference_type": "", "scores": [], "url": "https://web.archive.org/web/20201207134911/http://www.securityfocus.com/archive/1/539572/100/0/threaded" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2016/09/05/4", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.openwall.com/lists/oss-security/2016/09/05/4" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2016/09/05/5", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.openwall.com/lists/oss-security/2016/09/05/5" }, { "reference_url": "http://www.securityfocus.com/archive/1/539572/100/0/threaded", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.securityfocus.com/archive/1/539572/100/0/threaded" }, { "reference_url": "http://www.securityfocus.com/bid/92752", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.securityfocus.com/bid/92752" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2016-7139", "reference_id": "CVE-2016-7139", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-7139" }, { "reference_url": "https://github.com/advisories/GHSA-pp4c-2692-7f37", "reference_id": "GHSA-pp4c-2692-7f37", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-pp4c-2692-7f37" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/9624?format=api", "purl": "pkg:pypi/plone@4.3.12", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5ry7-xy6b-5fag" }, { "vulnerability": "VCID-69ps-uetw-y3gf" }, { "vulnerability": "VCID-8rp3-p3qe-x7ej" }, { "vulnerability": "VCID-8wkk-84ky-17ak" }, { "vulnerability": "VCID-9gu8-dgkr-sua3" }, { "vulnerability": "VCID-ax8a-2g7j-6ya2" }, { "vulnerability": "VCID-basq-jjsf-3fbd" }, { "vulnerability": "VCID-bmwk-nutp-r3fs" }, { "vulnerability": "VCID-cpwq-sq8b-4yhf" }, { "vulnerability": "VCID-d42u-s7za-a3ad" }, { "vulnerability": "VCID-dg61-tw4u-dbcc" }, { "vulnerability": "VCID-edq7-7ncc-mbfx" }, { "vulnerability": "VCID-eu4z-htaq-c3d6" }, { "vulnerability": "VCID-exan-4j3e-2qeh" }, { "vulnerability": "VCID-fdpc-runu-ekah" }, { "vulnerability": "VCID-j8fv-uhxw-jkcw" }, { "vulnerability": "VCID-p71t-er3d-9fdn" }, { "vulnerability": "VCID-pzke-4by2-w3hk" }, { "vulnerability": "VCID-q7nt-b3s9-9kf6" }, { "vulnerability": "VCID-r52t-hx1j-ufa1" }, { "vulnerability": "VCID-x2xm-hpc2-uubq" }, { "vulnerability": "VCID-z4jt-v88h-77er" }, { "vulnerability": "VCID-zwnj-revc-vbd6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/plone@4.3.12" }, { "url": "http://public2.vulnerablecode.io/api/packages/9623?format=api", "purl": "pkg:pypi/plone@5.0.6", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-17w2-gd3m-2qff" }, { "vulnerability": "VCID-29gf-82fr-k3h8" }, { "vulnerability": "VCID-5n6e-cha8-nyb8" }, { "vulnerability": "VCID-5ry7-xy6b-5fag" }, { "vulnerability": "VCID-6568-4ert-1bau" }, { "vulnerability": "VCID-69ps-uetw-y3gf" }, { "vulnerability": "VCID-8rp3-p3qe-x7ej" }, { "vulnerability": "VCID-8wkk-84ky-17ak" }, { "vulnerability": "VCID-951j-w95x-83g8" }, { "vulnerability": "VCID-9gu8-dgkr-sua3" }, { "vulnerability": "VCID-ax8a-2g7j-6ya2" }, { "vulnerability": "VCID-ay85-551m-vfej" }, { "vulnerability": "VCID-basq-jjsf-3fbd" }, { "vulnerability": "VCID-bmwk-nutp-r3fs" }, { "vulnerability": "VCID-d42u-s7za-a3ad" }, { "vulnerability": "VCID-dg61-tw4u-dbcc" }, { "vulnerability": "VCID-edq7-7ncc-mbfx" }, { "vulnerability": "VCID-eu4z-htaq-c3d6" }, { "vulnerability": "VCID-exan-4j3e-2qeh" }, { "vulnerability": "VCID-fdpc-runu-ekah" }, { "vulnerability": "VCID-hhux-xufk-ube2" }, { "vulnerability": "VCID-j8fv-uhxw-jkcw" }, { "vulnerability": "VCID-jvvz-bafs-t7gc" }, { "vulnerability": "VCID-mn7t-zgfw-tqfw" }, { "vulnerability": "VCID-p71t-er3d-9fdn" }, { "vulnerability": "VCID-pzke-4by2-w3hk" }, { "vulnerability": "VCID-q7nt-b3s9-9kf6" }, { "vulnerability": "VCID-r52t-hx1j-ufa1" }, { "vulnerability": "VCID-x2xm-hpc2-uubq" }, { "vulnerability": "VCID-yfkz-3xu3-vyc9" }, { "vulnerability": "VCID-z4jt-v88h-77er" }, { "vulnerability": "VCID-zwnj-revc-vbd6" }, { "vulnerability": "VCID-zy2g-gzmk-1qcz" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/plone@5.0.6" }, { "url": "http://public2.vulnerablecode.io/api/packages/9625?format=api", "purl": "pkg:pypi/plone@5.0.7", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-29gf-82fr-k3h8" }, { "vulnerability": "VCID-5ry7-xy6b-5fag" }, { "vulnerability": "VCID-69ps-uetw-y3gf" }, { "vulnerability": "VCID-8rp3-p3qe-x7ej" }, { "vulnerability": "VCID-8wkk-84ky-17ak" }, { "vulnerability": "VCID-951j-w95x-83g8" }, { "vulnerability": "VCID-9gu8-dgkr-sua3" }, { "vulnerability": "VCID-ax8a-2g7j-6ya2" }, { "vulnerability": "VCID-basq-jjsf-3fbd" }, { "vulnerability": "VCID-bmwk-nutp-r3fs" }, { "vulnerability": "VCID-d42u-s7za-a3ad" }, { "vulnerability": "VCID-dg61-tw4u-dbcc" }, { "vulnerability": "VCID-edq7-7ncc-mbfx" }, { "vulnerability": "VCID-eu4z-htaq-c3d6" }, { "vulnerability": "VCID-exan-4j3e-2qeh" }, { "vulnerability": "VCID-fdpc-runu-ekah" }, { "vulnerability": "VCID-j8fv-uhxw-jkcw" }, { "vulnerability": "VCID-jvvz-bafs-t7gc" }, { "vulnerability": "VCID-p71t-er3d-9fdn" }, { "vulnerability": "VCID-pzke-4by2-w3hk" }, { "vulnerability": "VCID-q7nt-b3s9-9kf6" }, { "vulnerability": "VCID-r52t-hx1j-ufa1" }, { "vulnerability": "VCID-x2xm-hpc2-uubq" }, { "vulnerability": "VCID-z4jt-v88h-77er" }, { "vulnerability": "VCID-zwnj-revc-vbd6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/plone@5.0.7" } ], "aliases": [ "CVE-2016-7139", "GHSA-pp4c-2692-7f37", "PYSEC-2017-62" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-yfkz-3xu3-vyc9" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/35029?format=api", "vulnerability_id": "VCID-zwnj-revc-vbd6", "summary": "Plone 4.0 through 5.1a1 does not have security declarations for Dexterity content-related WebDAV requests, which allows remote attackers to gain webdav access via unspecified vectors.", "references": [ { "reference_url": "https://plone.org/security/hotfix/20160419/privilege-escalation-in-webdav", "reference_id": "", "reference_type": "", "scores": [], "url": "https://plone.org/security/hotfix/20160419/privilege-escalation-in-webdav" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2016/04/20/1", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.openwall.com/lists/oss-security/2016/04/20/1" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/9714?format=api", "purl": "pkg:pypi/plone@5.1a2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-29gf-82fr-k3h8" }, { "vulnerability": "VCID-5ry7-xy6b-5fag" }, { "vulnerability": "VCID-69ps-uetw-y3gf" }, { "vulnerability": "VCID-8rp3-p3qe-x7ej" }, { "vulnerability": "VCID-8wkk-84ky-17ak" }, { "vulnerability": "VCID-951j-w95x-83g8" }, { "vulnerability": "VCID-9gu8-dgkr-sua3" }, { "vulnerability": "VCID-ax8a-2g7j-6ya2" }, { "vulnerability": "VCID-basq-jjsf-3fbd" }, { "vulnerability": "VCID-bmwk-nutp-r3fs" }, { "vulnerability": "VCID-d42u-s7za-a3ad" }, { "vulnerability": "VCID-dg61-tw4u-dbcc" }, { "vulnerability": "VCID-edq7-7ncc-mbfx" }, { "vulnerability": "VCID-eu4z-htaq-c3d6" }, { "vulnerability": "VCID-exan-4j3e-2qeh" }, { "vulnerability": "VCID-fdpc-runu-ekah" }, { "vulnerability": "VCID-j8fv-uhxw-jkcw" }, { "vulnerability": "VCID-p71t-er3d-9fdn" }, { "vulnerability": "VCID-q7nt-b3s9-9kf6" }, { "vulnerability": "VCID-r52t-hx1j-ufa1" }, { "vulnerability": "VCID-x2xm-hpc2-uubq" }, { "vulnerability": "VCID-z4jt-v88h-77er" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/plone@5.1a2" } ], "aliases": [ "CVE-2016-4041", "PYSEC-2017-55" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-zwnj-revc-vbd6" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/35036?format=api", "vulnerability_id": "VCID-zy2g-gzmk-1qcz", "summary": "Multiple cross-site scripting (XSS) vulnerabilities in the ZMI page in Zope2 in Plone CMS 5.x through 5.0.6, 4.x through 4.3.11, and 3.3.x through 3.3.6 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.", "references": [ { "reference_url": "http://packetstormsecurity.com/files/139110/Plone-CMS-4.3.11-5.0.6-XSS-Traversal-Open-Redirection.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://packetstormsecurity.com/files/139110/Plone-CMS-4.3.11-5.0.6-XSS-Traversal-Open-Redirection.html" }, { "reference_url": "http://seclists.org/fulldisclosure/2016/Oct/80", "reference_id": "", "reference_type": "", "scores": [], "url": "http://seclists.org/fulldisclosure/2016/Oct/80" }, { "reference_url": "https://github.com/plone/Plone", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/plone/Plone" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/plone/PYSEC-2017-63.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/plone/PYSEC-2017-63.yaml" }, { "reference_url": "https://plone.org/security/hotfix/20160830/non-persistent-xss-in-zope2", "reference_id": "", "reference_type": "", "scores": [], "url": "https://plone.org/security/hotfix/20160830/non-persistent-xss-in-zope2" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2016/09/05/4", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.openwall.com/lists/oss-security/2016/09/05/4" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2016/09/05/5", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.openwall.com/lists/oss-security/2016/09/05/5" }, { "reference_url": "http://www.securityfocus.com/archive/1/539572/100/0/threaded", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.securityfocus.com/archive/1/539572/100/0/threaded" }, { "reference_url": "http://www.securityfocus.com/bid/92752", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.securityfocus.com/bid/92752" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2016-7140", "reference_id": "CVE-2016-7140", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-7140" }, { "reference_url": "https://github.com/advisories/GHSA-chvw-gjxf-f8mc", "reference_id": "GHSA-chvw-gjxf-f8mc", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-chvw-gjxf-f8mc" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/9624?format=api", "purl": "pkg:pypi/plone@4.3.12", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5ry7-xy6b-5fag" }, { "vulnerability": "VCID-69ps-uetw-y3gf" }, { "vulnerability": "VCID-8rp3-p3qe-x7ej" }, { "vulnerability": "VCID-8wkk-84ky-17ak" }, { "vulnerability": "VCID-9gu8-dgkr-sua3" }, { "vulnerability": "VCID-ax8a-2g7j-6ya2" }, { "vulnerability": "VCID-basq-jjsf-3fbd" }, { "vulnerability": "VCID-bmwk-nutp-r3fs" }, { "vulnerability": "VCID-cpwq-sq8b-4yhf" }, { "vulnerability": "VCID-d42u-s7za-a3ad" }, { "vulnerability": "VCID-dg61-tw4u-dbcc" }, { "vulnerability": "VCID-edq7-7ncc-mbfx" }, { "vulnerability": "VCID-eu4z-htaq-c3d6" }, { "vulnerability": "VCID-exan-4j3e-2qeh" }, { "vulnerability": "VCID-fdpc-runu-ekah" }, { "vulnerability": "VCID-j8fv-uhxw-jkcw" }, { "vulnerability": "VCID-p71t-er3d-9fdn" }, { "vulnerability": "VCID-pzke-4by2-w3hk" }, { "vulnerability": "VCID-q7nt-b3s9-9kf6" }, { "vulnerability": "VCID-r52t-hx1j-ufa1" }, { "vulnerability": "VCID-x2xm-hpc2-uubq" }, { "vulnerability": "VCID-z4jt-v88h-77er" }, { "vulnerability": "VCID-zwnj-revc-vbd6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/plone@4.3.12" }, { "url": "http://public2.vulnerablecode.io/api/packages/9625?format=api", "purl": "pkg:pypi/plone@5.0.7", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-29gf-82fr-k3h8" }, { "vulnerability": "VCID-5ry7-xy6b-5fag" }, { "vulnerability": "VCID-69ps-uetw-y3gf" }, { "vulnerability": "VCID-8rp3-p3qe-x7ej" }, { "vulnerability": "VCID-8wkk-84ky-17ak" }, { "vulnerability": "VCID-951j-w95x-83g8" }, { "vulnerability": "VCID-9gu8-dgkr-sua3" }, { "vulnerability": "VCID-ax8a-2g7j-6ya2" }, { "vulnerability": "VCID-basq-jjsf-3fbd" }, { "vulnerability": "VCID-bmwk-nutp-r3fs" }, { "vulnerability": "VCID-d42u-s7za-a3ad" }, { "vulnerability": "VCID-dg61-tw4u-dbcc" }, { "vulnerability": "VCID-edq7-7ncc-mbfx" }, { "vulnerability": "VCID-eu4z-htaq-c3d6" }, { "vulnerability": "VCID-exan-4j3e-2qeh" }, { "vulnerability": "VCID-fdpc-runu-ekah" }, { "vulnerability": "VCID-j8fv-uhxw-jkcw" }, { "vulnerability": "VCID-jvvz-bafs-t7gc" }, { "vulnerability": "VCID-p71t-er3d-9fdn" }, { "vulnerability": "VCID-pzke-4by2-w3hk" }, { "vulnerability": "VCID-q7nt-b3s9-9kf6" }, { "vulnerability": "VCID-r52t-hx1j-ufa1" }, { "vulnerability": "VCID-x2xm-hpc2-uubq" }, { "vulnerability": "VCID-z4jt-v88h-77er" }, { "vulnerability": "VCID-zwnj-revc-vbd6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/plone@5.0.7" } ], "aliases": [ "CVE-2016-7140", "GHSA-chvw-gjxf-f8mc", "PYSEC-2017-63" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-zy2g-gzmk-1qcz" } ], "fixing_vulnerabilities": [], "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/plone@4.3rc1" }