github - ghsa-2qx8-589j-gcpx

ghsa-2qx8-589j-gcpx

Vulnerability from github

Published

2018-07-23 20:26

Modified

2024-10-09 21:30

Severity ?

6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
7.1 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:A

Summary

Plone and plone.app.users allow remote authenticated users to modify the properties of arbitrary accounts

Details

plone.app.users in Plone 4.0 and 4.1 allows remote authenticated users to modify the properties of arbitrary accounts via unspecified vectors, as exploited in the wild in June 2011.

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "plone.app.users"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.0a1"
            },
            {
              "fixed": "1.0.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "plone.app.users"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.1b1"
            },
            {
              "fixed": "1.1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "Plone"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.1"
            },
            {
              "fixed": "4.0.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "Plone"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.1.0"
            },
            {
              "fixed": "4.1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2011-1950"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T20:52:51Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "plone.app.users in Plone 4.0 and 4.1 allows remote authenticated users to modify the properties of arbitrary accounts via unspecified vectors, as exploited in the wild in June 2011.",
  "id": "GHSA-2qx8-589j-gcpx",
  "modified": "2024-10-09T21:30:27Z",
  "published": "2018-07-23T20:26:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2011-1950"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/67695"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-2qx8-589j-gcpx"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/plone/PYSEC-2011-16.yaml"
    },
    {
      "type": "WEB",
      "url": "http://plone.org/products/plone/security/advisories/CVE-2011-1950"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:A",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Plone and plone.app.users allow remote authenticated users to modify the properties of arbitrary accounts"
}

CVE-2011-1950 (GCVE-0-2011-1950)

Vulnerability from cvelistv5

Published

2011-06-06 19:00

Modified

2024-08-06 22:46

Severity ?

CWE

Summary

plone.app.users in Plone 4.0 and 4.1 allows remote authenticated users to modify the properties of arbitrary accounts via unspecified vectors, as exploited in the wild in June 2011.

References

►

URL

Tags

	http://secunia.com/advisories/44775	third-party-advisory, x_refsource_SECUNIA
	http://www.securityfocus.com/bid/48005	vdb-entry, x_refsource_BID
	https://exchange.xforce.ibmcloud.com/vulnerabilities/67695	vdb-entry, x_refsource_XF
	http://osvdb.org/72729	vdb-entry, x_refsource_OSVDB
	http://securityreason.com/securityalert/8269	third-party-advisory, x_refsource_SREASON
	http://plone.org/products/plone/security/advisories/CVE-2011-1950	x_refsource_CONFIRM
	http://www.securityfocus.com/archive/1/518155/100/0/threaded	mailing-list, x_refsource_BUGTRAQ

Impacted products

	Vendor	Product	Version
	n/a	n/a	Version: n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T22:46:00.933Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "44775",
            "tags": [
              "third-party-advisory",
              "x_refsource_SECUNIA",
              "x_transferred"
            ],
            "url": "http://secunia.com/advisories/44775"
          },
          {
            "name": "48005",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/48005"
          },
          {
            "name": "plone-data-security-bypass(67695)",
            "tags": [
              "vdb-entry",
              "x_refsource_XF",
              "x_transferred"
            ],
            "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/67695"
          },
          {
            "name": "72729",
            "tags": [
              "vdb-entry",
              "x_refsource_OSVDB",
              "x_transferred"
            ],
            "url": "http://osvdb.org/72729"
          },
          {
            "name": "8269",
            "tags": [
              "third-party-advisory",
              "x_refsource_SREASON",
              "x_transferred"
            ],
            "url": "http://securityreason.com/securityalert/8269"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://plone.org/products/plone/security/advisories/CVE-2011-1950"
          },
          {
            "name": "20110526 [CVE-REQUEST] Plone XSS and permission errors",
            "tags": [
              "mailing-list",
              "x_refsource_BUGTRAQ",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/archive/1/518155/100/0/threaded"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2011-05-26T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "plone.app.users in Plone 4.0 and 4.1 allows remote authenticated users to modify the properties of arbitrary accounts via unspecified vectors, as exploited in the wild in June 2011."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-10-09T18:57:01",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "44775",
          "tags": [
            "third-party-advisory",
            "x_refsource_SECUNIA"
          ],
          "url": "http://secunia.com/advisories/44775"
        },
        {
          "name": "48005",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/48005"
        },
        {
          "name": "plone-data-security-bypass(67695)",
          "tags": [
            "vdb-entry",
            "x_refsource_XF"
          ],
          "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/67695"
        },
        {
          "name": "72729",
          "tags": [
            "vdb-entry",
            "x_refsource_OSVDB"
          ],
          "url": "http://osvdb.org/72729"
        },
        {
          "name": "8269",
          "tags": [
            "third-party-advisory",
            "x_refsource_SREASON"
          ],
          "url": "http://securityreason.com/securityalert/8269"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://plone.org/products/plone/security/advisories/CVE-2011-1950"
        },
        {
          "name": "20110526 [CVE-REQUEST] Plone XSS and permission errors",
          "tags": [
            "mailing-list",
            "x_refsource_BUGTRAQ"
          ],
          "url": "http://www.securityfocus.com/archive/1/518155/100/0/threaded"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2011-1950",
    "datePublished": "2011-06-06T19:00:00",
    "dateReserved": "2011-05-09T00:00:00",
    "dateUpdated": "2024-08-06T22:46:00.933Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

pysec-2011-16

Vulnerability from pysec

Published

2011-06-06 19:55

Modified

2021-07-25 23:34

Details

plone.app.users in Plone 4.0 and 4.1 allows remote authenticated users to modify the properties of arbitrary accounts via unspecified vectors, as exploited in the wild in June 2011.

Impacted products

Name	purl
plone	pkg:pypi/plone

Aliases

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "plone",
        "purl": "pkg:pypi/plone"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "3.2",
        "3.2.1",
        "3.2.2",
        "3.2.3",
        "3.2a1",
        "3.2rc1",
        "3.3",
        "3.3.1",
        "3.3.2",
        "3.3.3",
        "3.3.4",
        "3.3.5",
        "3.3.6",
        "3.3b1",
        "3.3rc1",
        "3.3rc2",
        "3.3rc3",
        "3.3rc4",
        "3.3rc5",
        "4.0",
        "4.0.1",
        "4.0.10",
        "4.0.2",
        "4.0.3",
        "4.0.4",
        "4.0.5",
        "4.0.6",
        "4.0.7",
        "4.0.8",
        "4.0.9",
        "4.0a1",
        "4.0a2",
        "4.0a3",
        "4.0a4",
        "4.0a5",
        "4.0b1",
        "4.0b2",
        "4.0b3",
        "4.0b4",
        "4.0b5",
        "4.0rc1",
        "4.1",
        "4.1a1",
        "4.1a2",
        "4.1a3",
        "4.1b1",
        "4.1b2",
        "4.1rc2",
        "4.1rc3"
      ]
    }
  ],
  "aliases": [
    "CVE-2011-1950",
    "GHSA-2qx8-589j-gcpx"
  ],
  "details": "plone.app.users in Plone 4.0 and 4.1 allows remote authenticated users to modify the properties of arbitrary accounts via unspecified vectors, as exploited in the wild in June 2011.",
  "id": "PYSEC-2011-16",
  "modified": "2021-07-25T23:34:43.220669Z",
  "published": "2011-06-06T19:55:00Z",
  "references": [
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/48005"
    },
    {
      "type": "ADVISORY",
      "url": "http://secunia.com/advisories/44775"
    },
    {
      "type": "ADVISORY",
      "url": "http://plone.org/products/plone/security/advisories/CVE-2011-1950"
    },
    {
      "type": "WEB",
      "url": "http://osvdb.org/72729"
    },
    {
      "type": "WEB",
      "url": "http://securityreason.com/securityalert/8269"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/67695"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/archive/1/518155/100/0/threaded"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-2qx8-589j-gcpx"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

ghsa-2qx8-589j-gcpx

Vulnerability from github

CVE-2011-1950 (GCVE-0-2011-1950)

Vulnerability from cvelistv5

pysec-2011-16

Vulnerability from pysec

Tags

Sightings

Nomenclature