medium
5.3
CWE
352
Advisory Published
CVE Published
Advisory Published
Updated

CVE-2012-5500: CSRF

First published: Thu Nov 08 2012(Updated: )

A security flaw was found in the way Plone, a user friendly and powerful content management system, performed permissions checks for change titles of content items action. A remote attacker (anonymous user) could submit a specially-crafted HTTP POST request that, when processed, would allow them in an unauthorized way to change titles of content items. References: [1] <a href="http://plone.org/products/plone/security/advisories/20121106/16">http://plone.org/products/plone/security/advisories/20121106/16</a> [2] <a href="http://plone.org/products/plone/security/advisories/20121106/">http://plone.org/products/plone/security/advisories/20121106/</a> Relevant upstream HotFixes: [3] <a href="http://plone.org/products/plone-hotfix/releases/20121106">http://plone.org/products/plone-hotfix/releases/20121106</a> From the OSS post: [4] <a href="http://www.openwall.com/lists/oss-security/2012/11/07/4">http://www.openwall.com/lists/oss-security/2012/11/07/4</a> the renameObjectsByPaths.py change from upstream HotFix is relevant to this issue.

Credit: secalert@redhat.com secalert@redhat.com

Affected SoftwareAffected VersionHow to fix
pip/plone>=4.3a1<4.3b1
4.3b1
pip/plone<4.2.3
4.2.3
Plone CMS<=4.2.2
Plone CMS=1.0
Plone CMS=1.0.1
Plone CMS=1.0.2
Plone CMS=1.0.3
Plone CMS=1.0.4
Plone CMS=1.0.5
Plone CMS=1.0.6
Plone CMS=2.0
Plone CMS=2.0.1
Plone CMS=2.0.2
Plone CMS=2.0.3
Plone CMS=2.0.4
Plone CMS=2.0.5
Plone CMS=2.1
Plone CMS=2.1.1
Plone CMS=2.1.2
Plone CMS=2.1.3
Plone CMS=2.1.4
Plone CMS=2.5
Plone CMS=2.5.1
Plone CMS=2.5.2
Plone CMS=2.5.3
Plone CMS=2.5.4
Plone CMS=2.5.5
Plone CMS=3.0
Plone CMS=3.0.1
Plone CMS=3.0.2
Plone CMS=3.0.3
Plone CMS=3.0.4
Plone CMS=3.0.5
Plone CMS=3.0.6
Plone CMS=3.1
Plone CMS=3.1.1
Plone CMS=3.1.2
Plone CMS=3.1.3
Plone CMS=3.1.4
Plone CMS=3.1.5.1
Plone CMS=3.1.6
Plone CMS=3.1.7
Plone CMS=3.2
Plone CMS=3.2.1
Plone CMS=3.2.2
Plone CMS=3.2.3
Plone CMS=3.3
Plone CMS=3.3.1
Plone CMS=3.3.2
Plone CMS=3.3.3
Plone CMS=3.3.4
Plone CMS=3.3.5
Plone CMS=4.0
Plone CMS=4.0.1
Plone CMS=4.0.2
Plone CMS=4.0.3
Plone CMS=4.0.4
Plone CMS=4.0.5
Plone CMS=4.0.6.1
Plone CMS=4.1
Plone CMS=4.1.4
Plone CMS=4.1.5
Plone CMS=4.1.6
Plone CMS=4.2
Plone CMS=4.2.1
Plone CMS=4.3

Remedy

https://plone.org/products/plone-hotfix/releases/20121106

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Frequently Asked Questions

  • What is the severity of CVE-2012-5500?

    CVE-2012-5500 has a medium severity level due to the potential for unauthorized title changes of content items by remote attackers.

  • How do I fix CVE-2012-5500?

    To fix CVE-2012-5500, upgrade Plone to version 4.2.3 or later.

  • Which versions of Plone are affected by CVE-2012-5500?

    CVE-2012-5500 affects Plone versions up to and including 4.2.2 and all versions from 1.0 to 4.2.x.

  • What are the impacts of exploiting CVE-2012-5500?

    Exploiting CVE-2012-5500 allows an unauthenticated attacker to modify titles of content items, potentially leading to confusion or misuse of the content.

  • Is CVE-2012-5500 still a concern for users of Plone?

    Yes, CVE-2012-5500 remains a concern for users running vulnerable versions of Plone, necessitating prompt updates.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2025 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203