CVE-2013-4193: Plone Unrestricted Filed Manipulation vulnerability via content edit forms
5.9
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.53619%
CWE
Published
5/17/2022
Updated
10/17/2024
KEV Status
No
Technology
Python
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| plone | pip | >= 2.1, <= 4.1 | 4.1.1 |
| plone | pip | >= 4.2, < 4.2.6 | 4.2.6 |
| plone | pip | >= 4.3, < 4.3.2 | 4.3.2 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability centers around improper enforcement of the 'immutable' setting in content edit forms. The advisory specifically identifies typeswidget.py as the vulnerable component. In Plone's architecture, TypesWidget handles field rendering in content forms. The render method would be responsible for applying immutability restrictions. The attack vector (crafted URL manipulation) suggests the function trusts unvalidated request parameters when determining field visibility, bypassing immutability checks. While the exact function name isn't explicitly stated in references, the file path and widget behavior patterns in Plone strongly indicate the render method as the vulnerable component responsible for field display logic.