FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-03-28 15:43:32 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
22c6b826-cee0-11da-8578-00123ffe8333plone -- "member_id" Parameter Portrait Manipulation Vulnerability

Secunia reports:

The vulnerability is caused due to missing security declarations in "changeMemberPortrait" and "deletePersonalPortrait". This can be exploited to manipulate or delete another user's portrait via the "member_id" parameter.


Discovery 2006-04-13
Entry 2006-04-18
plone
< 2.1.2_1

CVE-2006-1711
http://dev.plone.org/plone/ticket/5432
http://www.debian.org/security/2006/dsa-1032
http://secunia.com/advisories/19633/
34414a1e-e377-11db-b8ab-000c76189c4czope -- cross-site scripting vulnerability

The Zope Team reports:

A vulnerability has been discovered in Zope, where by certain types of misuse of HTTP GET, an attacker could gain elevated privileges. All Zope versions up to and including 2.10.2 are affected.


Discovery 2007-01-16
Entry 2007-04-05
Modified 2009-03-22
zope
< 2.7.9_2

ge 2.8.0 le 2.8.8

ge 2.9.0 le 2.9.6

ge 2.10.0 le 2.10.2

plone
< 2.5.3

23084
CVE-2007-0240
ports/111119
http://www.zope.org/Products/Zope/Hotfix-2007-03-20/announcement/view
http://plone.org/products/plone/releases/2.5.3
6b3374d4-6b0b-11e5-9909-002590263bf5plone -- multiple vulnerabilities

Plone.org reports:

Versions Affected: All current Plone versions.

Versions Not Affected: None.

Nature of vulnerability: Allows creation of members by anonymous users on sites that have self-registration enabled, allowing bypass of CAPTCHA and similar protections against scripted attacks.

The patch can be added to buildouts as Products.PloneHotfix20150910 (available from PyPI) or downloaded from Plone.org.

Immediate Measures You Should Take: Disable self-registration until you have applied the patch.

Plone's URL checking infrastructure includes a method for checking if URLs valid and located in the Plone site. By passing HTML into this specially crafted url, XSS can be achieved.


Discovery 2015-09-10
Entry 2015-10-05
plone
< 4.3.7

ports/203255
https://plone.org/products/plone-hotfix/releases/20150910
https://plone.org/products/plone/security/advisories/20150910-announcement
https://plone.org/security/20150910/non-persistent-xss-in-plone
https://github.com/plone/Products.CMFPlone/commit/3da710a2cd68587f0bf34f2e7ea1167d6eeee087
7c492ea2-3566-11e0-8e81-0022190034c0plone -- Remote Security Bypass

Plone developer reports:

This is an escalation of privileges attack that can be used by anonymous users to gain access to a Plone site's administration controls, view unpublished content, create new content and modify a site's skin. The sandbox protecting access to the underlying system is still in place, and it does not grant access to other applications running on the same Zope instance.


Discovery 2011-02-02
Entry 2011-02-10
plone
ge 2.5 lt 3

plone3
ge 3 le 3.3

46102
CVE-2011-0720
http://plone.org/products/plone/security/advisories/cve-2011-0720
b6c18956-5fa3-11db-ad2d-0016179b2dd5plone -- unprotected MembershipTool methods

The Plone Team reports:

Plone 2.0.5, 2.1.2, and 2.5-beta1 does not restrict access to the:

  • changeMemberPortrait
  • deletePersonalPortrait
  • testCurrentPassword

methods, which allows remote attackers to modify portraits.


Discovery 2006-10-19
Entry 2006-10-19
Modified 2006-10-20
plone
< 2.1.2

CVE-2006-1711
http://plone.org/products/plone/releases/2.1.4
https://svn.plone.org/svn/plone/PloneHotfix20060410/trunk/README.txt
f4ff7434-9505-11db-9ddc-0011098b2f36plone -- user can masquerade as a group

Plone.org reports:

PlonePAS-using Plone releases (Plone 2.5 and Plone 2.5.1) has a potential vulnerability that allows a user to masquerade as a group. Please update your sites.


Discovery 2006-11-02
Entry 2006-12-27
plone
gt 2.5 lt 2.5.1_1

21460
CVE-2006-4249
http://plone.org/products/plone-hotfix/releases/20061031
ffba6ab0-90b5-11dc-9835-003048705d5aplone -- unsafe data interpreted as pickles

Plone projectreports:

This hotfix corrects a vulnerability in the statusmessages and linkintegrity modules, where unsafe network data was interpreted as python pickles. This allows an attacker to run arbitrary python code within the Zope/Plone process.


Discovery 2007-11-06
Entry 2007-11-12
plone
ge 2.5 lt 2.5.5

ge 3.0 lt 3.0.3

26354
CVE-2007-5741