CVE-2013-4193: Plone Unrestricted Filed Manipulation vulnerability via content edit forms

May 17, 2022 (updated October 17, 2024)

typeswidget.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 does not properly enforce the immutable setting on unspecified content edit forms, which allows remote attackers to hide fields on the forms via a crafted URL.

References

bugzilla.redhat.com/show_bug.cgi?id=978469
github.com/advisories/GHSA-6fgf-x7wg-hp8r
github.com/plone/Plone
github.com/pypa/advisory-database/tree/main/vulns/plone/PYSEC-2014-57.yaml
nvd.nist.gov/vuln/detail/CVE-2013-4193

Code Behaviors & Features

Detect and mitigate CVE-2013-4193 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →