Description

at_download.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to read arbitrary BLOBs (Files and Images) stored on custom content types via a crafted URL.

Remediation

References

CVE-2012-5501

Related Vulnerabilities

Dojo Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') Vulnerability (CVE-2021-23450)

Python Improper Neutralization of CRLF Sequences ('CRLF Injection') Vulnerability (CVE-2019-9740)

Plone CMS Permissions, Privileges, and Access Controls Vulnerability (CVE-2012-5487)

WordPress Plugin FlightLog SQL Injection (3.0.2)

XWiki Improper Handling of Exceptional Conditions Vulnerability (CVE-2023-29520)

Severity

Medium

Classification

CVE-2012-5501 CWE-264

Tags

Missing Update Known Vulnerabilities