CVE-2013-4193

typeswidget.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 does not properly enforce the immutable setting on unspecified content edit forms, which allows remote attackers to hide fields on the forms via a crafted URL.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
4.3 UNKNOWN
NETWORK
MEDIUM
AV:N/AC:M/Au:N/C:N/I:P/A:N
redhatCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 53%
VendorProductVersion
ploneplone
2.1
ploneplone
2.1.1
ploneplone
2.1.2
ploneplone
2.1.3
ploneplone
2.1.4
ploneplone
2.5
ploneplone
2.5.1
ploneplone
2.5.2
ploneplone
2.5.3
ploneplone
2.5.4
ploneplone
2.5.5
ploneplone
3.0
ploneplone
3.0.1
ploneplone
3.0.2
ploneplone
3.0.3
ploneplone
3.0.4
ploneplone
3.0.5
ploneplone
3.0.6
ploneplone
3.1
ploneplone
3.1.1
ploneplone
3.1.2
ploneplone
3.1.3
ploneplone
3.1.4
ploneplone
3.1.5.1
ploneplone
3.1.6
ploneplone
3.1.7
ploneplone
3.2
ploneplone
3.2.1
ploneplone
3.2.2
ploneplone
3.2.3
ploneplone
3.3
ploneplone
3.3.1
ploneplone
3.3.2
ploneplone
3.3.3
ploneplone
3.3.4
ploneplone
3.3.5
ploneplone
4.0
ploneplone
4.0.1
ploneplone
4.0.2
ploneplone
4.0.3
ploneplone
4.0.4
ploneplone
4.0.5
ploneplone
4.0.6.1
ploneplone
4.1
ploneplone
4.2
ploneplone
4.2.1
ploneplone
4.2.2
ploneplone
4.2.3
ploneplone
4.2.4
ploneplone
4.2.5
ploneplone
4.3
ploneplone
4.3.1
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
http://plone.org/products/plone-hotfix/releases/20130618
http://plone.org/products/plone/security/advisories/20130618-announcement
http://seclists.org/oss-sec/2013/q3/261
https://bugzilla.redhat.com/show_bug.cgi?id=978469
http://plone.org/products/plone-hotfix/releases/20130618
http://plone.org/products/plone/security/advisories/20130618-announcement
http://seclists.org/oss-sec/2013/q3/261
https://bugzilla.redhat.com/show_bug.cgi?id=978469