CVE-2013-4198

First published: Wed Jun 26 2013(Updated: )

`mail_password.py` in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 allows remote authenticated users to bypass the prohibition on password changes via the forgotten password email functionality.

Credit: secalert@redhat.com secalert@redhat.com

Affected Software	Affected Version	How to fix
Plone Plone	=2.1
Plone Plone	=2.1.1
Plone Plone	=2.1.2
Plone Plone	=2.1.3
Plone Plone	=2.1.4
Plone Plone	=2.5
Plone Plone	=2.5.1
Plone Plone	=2.5.2
Plone Plone	=2.5.3
Plone Plone	=2.5.4
Plone Plone	=2.5.5
Plone Plone	=3.0
Plone Plone	=3.0.1
Plone Plone	=3.0.2
Plone Plone	=3.0.3
Plone Plone	=3.0.4
Plone Plone	=3.0.5
Plone Plone	=3.0.6
Plone Plone	=3.1
Plone Plone	=3.1.1
Plone Plone	=3.1.2
Plone Plone	=3.1.3
Plone Plone	=3.1.4
Plone Plone	=3.1.5.1
Plone Plone	=3.1.6
Plone Plone	=3.1.7
Plone Plone	=3.2
Plone Plone	=3.2.1
Plone Plone	=3.2.2
Plone Plone	=3.2.3
Plone Plone	=3.3
Plone Plone	=3.3.1
Plone Plone	=3.3.2
Plone Plone	=3.3.3
Plone Plone	=3.3.4
Plone Plone	=3.3.5
Plone Plone	=4.0
Plone Plone	=4.0.1
Plone Plone	=4.0.2
Plone Plone	=4.0.3
Plone Plone	=4.0.4
Plone Plone	=4.0.5
Plone Plone	=4.0.6.1
Plone Plone	=4.1
Plone Plone	=4.3
Plone Plone	=4.3.1
Plone Plone	=4.2
Plone Plone	=4.2.1
Plone Plone	=4.2.2
Plone Plone	=4.2.3
Plone Plone	=4.2.4
Plone Plone	=4.2.5
pip/Plone	>=4.3<4.3.2	4.3.2
pip/Plone	>=4.2<4.2.6	4.2.6
pip/Plone	>=2.1<=4.1
	=2.1
	=2.1.1
	=2.1.2
	=2.1.3
	=2.1.4
	=2.5
	=2.5.1
	=2.5.2
	=2.5.3
	=2.5.4
	=2.5.5
	=3.0
	=3.0.1
	=3.0.2
	=3.0.3
	=3.0.4
	=3.0.5
	=3.0.6
	=3.1
	=3.1.1
	=3.1.2
	=3.1.3
	=3.1.4
	=3.1.5.1
	=3.1.6
	=3.1.7
	=3.2
	=3.2.1
	=3.2.2
	=3.2.3
	=3.3
	=3.3.1
	=3.3.2
	=3.3.3
	=3.3.4
	=3.3.5
	=4.0
	=4.0.1
	=4.0.2
	=4.0.3
	=4.0.4
	=4.0.5
	=4.0.6.1
	=4.1
	=4.3
	=4.3.1
	=4.2
	=4.2.1
	=4.2.2
	=4.2.3
	=4.2.4
	=4.2.5

Remedy

http://plone.org/products/plone-hotfix/releases/20130618

Never miss a vulnerability like this again

Reference Links

collector/nvd-index
agent/type
agent/first-publish-date
collector/redhat-bugzilla
source/Red Hat
alias/CVE-2013-4198
agent/references
agent/remedy
agent/weakness
agent/severity
agent/description
agent/author
agent/softwarecombine
collector/nvd-cve
source/NVD
agent/software-canonical-lookup
collector/github-advisory
source/GitHub
alias/GHSA-qjxf-6pr8-j87v
collector/mitre-cve
source/MITRE
agent/last-modified-date
agent/tags
agent/event
collector/github-advisory-latest
vendor/plone
canonical/plone plone
version/plone plone/2.1
version/plone plone/2.1.1
version/plone plone/2.1.2
version/plone plone/2.1.3
version/plone plone/2.1.4
version/plone plone/2.5
version/plone plone/2.5.1
version/plone plone/2.5.2
version/plone plone/2.5.3
version/plone plone/2.5.4
version/plone plone/2.5.5
version/plone plone/3.0
version/plone plone/3.0.1
version/plone plone/3.0.2
version/plone plone/3.0.3
version/plone plone/3.0.4
version/plone plone/3.0.5
version/plone plone/3.0.6
version/plone plone/3.1
version/plone plone/3.1.1
version/plone plone/3.1.2
version/plone plone/3.1.3
version/plone plone/3.1.4
version/plone plone/3.1.5.1
version/plone plone/3.1.6
version/plone plone/3.1.7
version/plone plone/3.2
version/plone plone/3.2.1
version/plone plone/3.2.2
version/plone plone/3.2.3
version/plone plone/3.3
version/plone plone/3.3.1
version/plone plone/3.3.2
version/plone plone/3.3.3
version/plone plone/3.3.4
version/plone plone/3.3.5
version/plone plone/4.0
version/plone plone/4.0.1
version/plone plone/4.0.2
version/plone plone/4.0.3
version/plone plone/4.0.4
version/plone plone/4.0.5
version/plone plone/4.0.6.1
version/plone plone/4.1
version/plone plone/4.3
version/plone plone/4.3.1
version/plone plone/4.2
version/plone plone/4.2.1
version/plone plone/4.2.2
version/plone plone/4.2.3
version/plone plone/4.2.4
version/plone plone/4.2.5
package-manager/pip

CVE-2013-4198

Remedy

Never miss a vulnerability like this again

Reference Links

Company

Resources

Contact