GHSA-pwgm-jvqv-6v8p

Suggest an improvement
Source
https://github.com/advisories/GHSA-pwgm-jvqv-6v8p
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-pwgm-jvqv-6v8p/GHSA-pwgm-jvqv-6v8p.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-pwgm-jvqv-6v8p
Aliases
  • CVE-2011-4030
Published
2022-05-17T05:37:14Z
Modified
2024-12-03T05:32:12.456250Z
Summary
Plone anonymous access to sub-objects in CMFEditions where KwAsAttributes classes were publishable
Details

The CMFEditions component 2.x in Plone 4.0.x through 4.0.9, 4.1, and 4.2 through 4.2a2 does not prevent the KwAsAttributes classes from being publishable, which allows remote attackers to access sub-objects via unspecified vectors, a different vulnerability than CVE-2011-3587.

Database specific
{
    "nvd_published_at": "2011-10-10T10:55:00Z",
    "cwe_ids": [],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2024-05-14T17:25:59Z"
}
References

Affected packages

PyPI / plone

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.0
Fixed
4.0.10

Affected versions

4.*

4.0
4.0.1
4.0.2
4.0.3
4.0.4
4.0.5
4.0.6
4.0.7
4.0.8
4.0.9

Database specific

{
    "last_known_affected_version_range": "<= 4.0.9"
}

PyPI / plone

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.1
Fixed
4.1.1

Affected versions

4.*

4.1

PyPI / plone

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.2a1
Fixed
4.2a3

Affected versions

4.*

4.2a1
4.2a2

Database specific

{
    "last_known_affected_version_range": "<= 4.2a2"
}