CVE-2012-5489

high

Description

The App.Undo.UndoSupport.get_request_var_or_attr function in Zope before 2.12.21 and 3.13.x before 2.13.11, as used in Plone before 4.2.3 and 4.3 before beta 1, allows remote authenticated users to gain access to restricted attributes via unspecified vectors.

References

https://plone.org/products/plone/security/advisories/20121106/05

https://plone.org/products/plone-hotfix/releases/20121106

https://github.com/plone/Products.CMFPlone/blob/4.2.3/docs/CHANGES.txt

https://bugs.launchpad.net/zope2/+bug/1079238

http://www.openwall.com/lists/oss-security/2012/11/10/1

Details

Source: Mitre, NVD

Published: 2014-09-30

Updated: 2026-06-16

Risk Information

CVSS v2

Base Score: 6.5

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P

Severity: Medium

CVSS v3

Base Score: 6.5

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Severity: Medium

CVSS v4

Base Score: 7.1

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Severity: High

EPSS

EPSS: 0.00575