GHSA-4vr8-r7qr-fpvq

Source

https://github.com/advisories/GHSA-4vr8-r7qr-fpvq

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-4vr8-r7qr-fpvq/GHSA-4vr8-r7qr-fpvq.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-4vr8-r7qr-fpvq

Aliases

Published

2022-05-17T04:41:00Z

Modified

2024-10-15T17:59:43.500450Z

Severity

4.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator

Summary

Plone Privilege escalation through exposed underlying API

Details

Products/CMFPlone/CatalogTool.py in Plone 3.3 through 4.3.2 allows remote administrators to bypass restrictions and obtain sensitive information via an unspecified search API.

Database specific

{
    "severity": "MODERATE",
    "cwe_ids": [
        "CWE-284"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-04-29T16:28:04Z",
    "nvd_published_at": "2014-05-02T14:55:00Z"
}

References

Affected packages

PyPI / plone

Package

Name: plone; View open source insights on deps.dev
Purl: pkg:pypi/plone

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.3b1

Fixed

4.3.3

Affected versions

3.*

3.3b1

3.3rc1

3.3rc2

3.3rc3

3.3rc4

3.3rc5

3.3

3.3.1

3.3.2

3.3.3

3.3.4

3.3.5

3.3.6

4.*

4.0a1

4.0a2

4.0a3

4.0a4

4.0a5

4.0b1

4.0b2

4.0b3

4.0b4

4.0b5

4.0rc1

4.0

4.0.1

4.0.2

4.0.3

4.0.4

4.0.5

4.0.6

4.0.7

4.0.8

4.0.9

4.0.10

4.1a1

4.1a2

4.1a3

4.1b1

4.1b2

4.1rc2

4.1rc3

4.1

4.1.1

4.1.2

4.1.3

4.1.4

4.1.5

4.1.6

4.2a1

4.2a2

4.2b1

4.2b2

4.2rc1

4.2rc2

4.2

4.2.1

4.2.2

4.2.3

4.2.4

4.2.5

4.2.6

4.2.7

4.3a1

4.3a2

4.3b1

4.3b2

4.3rc1

4.3

4.3.1

4.3.2

PyPI / products-cmfplone