Product:

Plone

(Plone)
Date Id Summary Products Score Patch Annotated
2021-03-24 CVE-2021-29002 A stored cross-site scripting (XSS) vulnerability in Plone CMS 5.2.3 exists in site-controlpanel via the "form.widgets.site_title" parameter. Plone 5.4
2020-12-30 CVE-2020-28736 Plone before 5.2.3 allows XXE attacks via a feature that is protected by an unapplied permission of plone.schemaeditor.ManageSchemata (therefore, only available to the Manager role). Plone 8.8
2020-12-30 CVE-2020-28735 Plone before 5.2.3 allows SSRF attacks via the tracebacks feature (only available to the Manager role). Plone 8.8
2020-12-30 CVE-2020-28734 Plone before 5.2.3 allows XXE attacks via a feature that is explicitly only available to the Manager role. Plone 8.8
2020-12-17 CVE-2020-35190 The official plone Docker images before version of 4.3.18-alpine (Alpine specific) contain a blank password for a root user. System using the plone docker container deployed by affected versions of the docker image may allow a remote attacker to achieve root access with a blank password. Plone 9.8
2020-01-23 CVE-2020-7938 plone.restapi in Plone 5.2.0 through 5.2.1 allows users with a certain privilege level to escalate their privileges up to the highest level. Plone N/A
2020-01-23 CVE-2020-7937 An XSS issue in the title field in Plone 5.0 through 5.2.1 allows users with a certain privilege level to insert JavaScript that will be executed when other users access the site. Plone N/A
2020-01-23 CVE-2020-7939 SQL Injection in DTML or in connection objects in Plone 4.0 through 5.2.1 allows users to perform unwanted SQL queries. (This is a problem in Zope.) Plone N/A
2020-01-23 CVE-2020-7941 A privilege escalation issue in plone.app.contenttypes in Plone 4.3 through 5.2.1 allows users to PUT (overwrite) some content without needing write permission. Plone N/A
2020-01-23 CVE-2020-7940 Missing password strength checks on some forms in Plone 4.3 through 5.2.0 allow users to set weak passwords, leading to easier cracking. Plone N/A