Unspecified vulnerability in Zope 2.12.x and 2.13.x, as used in Plone 4.0.x through 4.0.9, 4.1, and 4.2 through 4.2a2, allows remote attackers to execute arbitrary commands via vectors related to the p_ class in OFS/misc_.py and the use of Python modules.
Cross-site scripting (XSS) vulnerability in Zope 2.8.x before 2.8.12, 2.9.x before 2.9.12, 2.10.x before 2.10.11, 2.11.x before 2.11.6, and 2.12.x before 2.12.3, 3.1.1 through 3.4.1. allows remote attackers to inject arbitrary web script or HTML via vectors related to the way error messages perform sanitization. NOTE: this issue exists because of an incomplete fix for CVE-2010-1104
Zope, as used in Plone before beta 1, does not reseed the pseudo-random number generator (PRNG), which makes it easier for remote attackers to guess the value via unspecified vectors. NOTE: this issue was SPLIT from CVE-2012-5508 due to different vulnerability types (ADT2).
ZPublisher.HTTPRequest._scrubHeader in Zope 2, as used in Plone beta 1, allows remote attackers to inject arbitrary HTTP headers via a linefeed (LF) character.
The App.Undo.UndoSupport.get_request_var_or_attr function in Zope, as used in Plone before beta 1, allows remote authenticated users to gain access to restricted attributes via unspecified vectors.
Cross-site scripting (XSS) vulnerability in Zope allows remote attackers to inject arbitrary web script or HTML via vectors related to error messages.
Unspecified vulnerability in (1) Zope, as used in Plone and other products, and (2) PloneHotfix20110720 for Plone allows attackers to gain privileges via unspecified vectors, related to a "highly serious vulnerability." NOTE: this vulnerability exists because of an incorrect fix for CVE-2011-0720.
AccessControl/AuthEncoding.py in Zope, as used in Plone before beta 1, allows remote attackers to obtain passwords via vectors involving timing discrepancies in password validation.