Description
typeswidget.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 does not properly enforce the immutable setting on unspecified content edit forms, which allows remote attackers to hide fields on the forms via a crafted URL.
Remediation
References
Related Vulnerabilities
Oracle Database Server CVE-2006-1874 Vulnerability (CVE-2006-1874)
MySQL CVE-2015-4905 Vulnerability (CVE-2015-4905)
Microsoft SQL Server Other Vulnerability (CVE-2001-0879)
WordPress Plugin UPM Polls 'qid' Parameter SQL Injection (1.0.3)
Joomla Improper Input Validation Vulnerability (CVE-2013-5576)