Miggo Logo

CVE-2012-5500: Plone contains Cross-site Request Forgery

5.3

CVSS Score
3.1

Basic Information

EPSS Score
0.56255%
Published
5/17/2022
Updated
10/14/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
plonepip< 4.2.34.2.3
plonepip>= 4.3a1, < 4.3b14.3b1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability explicitly references 'renameObjectsByPaths.py' as the affected script. The advisory details indicate the script failed to enforce proper permissions checks, allowing unauthorized title modifications despite CSRF token validation. The CHANGES.txt in Plone 4.2.3 confirms security fixes related to this script, and multiple references (CVE-2012-5500, GHSA-2q75-f7cp-w86q) directly link to this component. The function's role in batch operations and the described attack vector align with the CSRF vulnerability mechanism.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** **t** i* ***n** s*ript (r*n*m*O*j**ts*yP*t*s.py) in Plon* ***or* *.*.* *n* *.* ***or* **t* * *llows r*mot* *tt**k*rs to ***n** t** titl*s o* *ont*nt it*ms *y l*v*r**in* * v*li* *SR* tok*n in * *r**t** r*qu*st.

Reasoning

T** vuln*r**ility *xpli*itly r***r*n**s 'r*n*m*O*j**ts*yP*t*s.py' *s t** *****t** s*ript. T** **visory **t*ils in*i**t* t** s*ript **il** to *n*or** prop*r p*rmissions ****ks, *llowin* un*ut*oriz** titl* mo*i*i**tions **spit* *SR* tok*n v*li**tion. T