CVE-2013-4198
Plone's authenticated users able to alter their password despite of policy definition
4.3
MEDIUM
CVSS 3.1
EPSS 0.30%
Description
mail_password.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 allows remote authenticated users to bypass the prohibition on password changes via the forgotten password email functionality.
How to fix CVE-2013-4198
To remediate CVE-2013-4198, upgrade the affected package to a fixed version below.
- —no fix listed
- —upgrade to 4.1.1 or later
Is CVE-2013-4198 being exploited?
Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- >= 2.1, <= 4.1
- >= 2.1, < 4.1.1, >= 4.2, < 4.2.6, >= 4.3, < 4.3.2
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | MEDIUM4.3 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N |