Miggo Logo

CVE-2013-4194: Plone is vulnerable to File System Path Exposure

3.7

CVSS Score
3.1

Basic Information

EPSS Score
0.54399%
Published
5/17/2022
Updated
10/18/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
plonepip>= 2.1, <= 4.14.1.1
plonepip>= 4.2, < 4.2.64.2.6
plonepip>= 4.3, < 4.3.24.3.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability description explicitly identifies the wysiwyg.py component as the source of the path exposure. The error message leak implies a function handling URL requests in this component fails to properly sanitize error output. The getResource() function is a common pattern in Plone's WYSIWYG implementation for serving resources (e.g., images, scripts). Invalid resource requests would trigger exceptions containing filesystem paths in error messages. This aligns with CWE-200's exposure via error messages, and the component/file path matches the advisory details.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** WYSIWY* *ompon*nt (wysiwy*.py) in Plon* *.* t*rou** *.*, *.*.x t*rou** *.*.*, *n* *.*.x t*rou** *.*.* *llows r*mot* *tt**k*rs to o*t*in s*nsitiv* in*orm*tion vi* * *r**t** URL, w*i** r*v**ls t** inst*ll*tion p*t* in *n *rror m*ss***.

Reasoning

T** vuln*r**ility **s*ription *xpli*itly i**nti*i*s t** `wysiwy*.py` *ompon*nt *s t** sour** o* t** p*t* *xposur*. T** *rror m*ss*** l**k impli*s * `*un*tion` **n*lin* URL r*qu*sts in t*is *ompon*nt **ils to prop*rly s*nitiz* *rror output. T** `**tR*