Description
typeswidget.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 does not properly enforce the immutable setting on unspecified content edit forms, which allows remote attackers to hide fields on the forms via a crafted URL.
Remediation
References
Related Vulnerabilities
Jenkins Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2018-1999046)
Apache HTTP Server Numeric Errors Vulnerability (CVE-2009-1956)
Plone CMS Permissions, Privileges, and Access Controls Vulnerability (CVE-2013-7061)