Miggo Logo
Miggo Vulnerability Database
CVE-2012-5505

CVE-2012-5505: Plone Information Disclosure

7.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2012-5505
GHSA ID
GHSA-cq5g-924m-7fxh
EPSS Score
0.54399%
CWE
CWE-200
Published
5/17/2022
Updated
10/11/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
plonepip< 4.2.34.2.3
Plonepip>= 4.3a0, < 4.3b14.3b1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability explicitly references atat.py as the source file, and the attack vector involves requests for views without a name. In Plone's architecture, views are typically implemented as classes with a call method. The lack of validation for the view name parameter in this handler would directly enable unauthorized data exposure. The association with CVE-2012-5505 in multiple advisories and the patched version 4.2.3 confirms this is the correct entry point.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

`*t*t.py` in Plon* ***or* *.*.* *n* *.* ***or* **t* * *llows r*mot* *tt**k*rs to r*** priv*t* **t* stru*tur*s vi* * r*qu*st *or * vi*w wit*out * n*m*.

Reasoning

T** vuln*r**ility *xpli*itly r***r*n**s *t*t.py *s t** sour** *il*, *n* t** *tt**k v**tor involv*s r*qu*sts *or vi*ws wit*out * n*m*. In Plon*'s *r**it**tur*, vi*ws *r* typi**lly impl*m*nt** *s *l*ss*s wit* * __**ll__ m*t*o*. T** l**k o* v*li**tion *