Miggo Logo
Miggo Vulnerability Database
CVE-2013-4193

CVE-2013-4193: Plone Unrestricted Filed Manipulation vulnerability via content edit forms

5.9

CVSS Score
3.1

Basic Information

CVE ID
CVE-2013-4193
GHSA ID
GHSA-6fgf-x7wg-hp8r
EPSS Score
0.53619%
CWE
CWE-284
Published
5/17/2022
Updated
10/17/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
plonepip>= 2.1, <= 4.14.1.1
plonepip>= 4.2, < 4.2.64.2.6
plonepip>= 4.3, < 4.3.24.3.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability centers around improper enforcement of the 'immutable' setting in content edit forms. The advisory specifically identifies typeswidget.py as the vulnerable component. In Plone's architecture, TypesWidget handles field rendering in content forms. The render method would be responsible for applying immutability restrictions. The attack vector (crafted URL manipulation) suggests the function trusts unvalidated request parameters when determining field visibility, bypassing immutability checks. While the exact function name isn't explicitly stated in references, the file path and widget behavior patterns in Plone strongly indicate the render method as the vulnerable component responsible for field display logic.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

typ*swi***t.py in Plon* *.* t*rou** *.*, *.*.x t*rou** *.*.*, *n* *.*.x t*rou** *.*.* *o*s not prop*rly *n*or** t** immut**l* s*ttin* on unsp**i*i** *ont*nt **it *orms, w*i** *llows r*mot* *tt**k*rs to *i** *i*l*s on t** *orms vi* * *r**t** URL.

Reasoning

T** vuln*r**ility **nt*rs *roun* improp*r *n*or**m*nt o* t** 'immut**l*' s*ttin* in *ont*nt **it *orms. T** **visory sp**i*i**lly i**nti*i*s `typ*swi***t.py` *s t** vuln*r**l* *ompon*nt. In Plon*'s *r**it**tur*, `Typ*sWi***t` **n*l*s *i*l* r*n**rin*