Lucene search

GitHub Advisory DatabaseGHSA-683W-84M7-P8PW

HistoryMay 17, 2022 - 4:31 a.m.

Plone User account enumeration via crafted URL

2022-05-1704:31:18

CWE-200

GitHub Advisory Database

github.com

plone

user account enumeration

crafted url

remote attackers

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

EPSS

0.005

Percentile

77.0%

JSON

membership_tool.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to enumerate user account names via a crafted URL.

Affected configurations

Vulners

Node

ploneploneRange<4.2.3

ploneploneRange4.3a1–4.3b1

VendorProductVersionCPE
ploneplone*cpe:2.3:a:plone:plone:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
plone	plone	*	cpe:2.3:a:plone:plone::::::::

References

rhn.redhat.com/errata/RHSA-2014-1194.html

www.openwall.com/lists/oss-security/2012/11/10/1

access.redhat.com/errata/RHSA-2014:1194

access.redhat.com/security/cve/CVE-2012-5497

bugzilla.redhat.com/show_bug.cgi?id=874681

github.com/advisories/GHSA-683w-84m7-p8pw

github.com/plone/Products.CMFPlone/blob/4.2.3/docs/CHANGES.txt

github.com/plone/Products.CMFPlone/commit/a9479a5b38646fe0b0a9066ee46de9c18de32bfa

github.com/plone/Products.CMFPlone/commit/c3a98f4e6cf26501485de9c8354c49afdea21df8

nvd.nist.gov/vuln/detail/CVE-2012-5497

web.archive.org/web/20131103175056/https://plone.org/products/plone/security/advisories/20121106/13

web.archive.org/web/20131114082527/https://plone.org/products/plone-hotfix/releases/20121106

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

EPSS

0.005

Percentile

77.0%

JSON

Related for GHSA-683W-84M7-P8PW