Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Plone
(Plone)| Repositories |
• https://github.com/plone/Products.CMFPlone
• https://github.com/zopefoundation/Products.CMFCore |
| #Vulnerabilities | 103 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2024-02-08 | CVE-2024-23756 | The HTTP PUT and DELETE methods are enabled in the Plone official Docker version 5.2.13 (5221), allowing unauthenticated attackers to execute dangerous actions such as uploading files to the server or deleting them. | Plone | 7.5 | ||
| 2022-01-28 | CVE-2022-23599 | Products.ATContentTypes are the core content types for Plone 2.1 - 4.3. Versions of Plone that are dependent on Products.ATContentTypes prior to version 3.0.6 are vulnerable to reflected cross site scripting and open redirect when an attacker can get a compromised version of the image_view_fullscreen page in a cache, for example in Varnish. The technique is known as cache poisoning. Any later visitor can get redirected when clicking on a link on this page. Usually only anonymous users are... | Plone | 6.1 | ||
| 2023-02-17 | CVE-2021-33926 | An issue in Plone CMS v. 5.2.4, 5.2.3, 5.2.2, 5.2.1, 5.2.0, 5.1rc2, 5.1rc1, 5.1b4, 5.1b3, 5.1b2, 5.1a2, 5.1a1, 5.1.7, 5.1.6, 5.1.5, 5.1.4, 5.1.2, 5.1.1 5.1, 5.0rc3, 5.0rc2, 5.0rc1, 5.0.9, 5.0.8, 5.0.7, 5.0.6, 5.0.5, 5.0.4, 5.0.3, 5.0.2, 5.0.10, 5.0.1, 5.0, 4.3.9, 4.3.8, 4.3.7, 4.3.6, 4.3.5, 4.3.4, 4.3.3, 4.3.20, 4 allows attacker to access sensitive information via the RSS feed protlet. | Plone | 8.8 | ||
| 2024-03-06 | CVE-2024-22889 | Due to incorrect access control in Plone version v6.0.9, remote attackers can view and list all files hosted on the website via sending a crafted request. | Plone | 7.5 | ||
| 2020-01-23 | CVE-2020-7936 | An open redirect on the login form (and possibly other places) in Plone 4.0 through 5.2.1 allows an attacker to craft a link to a Plone Site that, when followed, and possibly after login, will redirect to an attacker's site. | Plone | 6.1 | ||
| 2020-01-23 | CVE-2020-7937 | An XSS issue in the title field in Plone 5.0 through 5.2.1 allows users with a certain privilege level to insert JavaScript that will be executed when other users access the site. | Plone | 5.4 | ||
| 2020-01-23 | CVE-2020-7938 | plone.restapi in Plone 5.2.0 through 5.2.1 allows users with a certain privilege level to escalate their privileges up to the highest level. | Plone | 8.8 | ||
| 2020-01-23 | CVE-2020-7939 | SQL Injection in DTML or in connection objects in Plone 4.0 through 5.2.1 allows users to perform unwanted SQL queries. (This is a problem in Zope.) | Plone | 8.8 | ||
| 2020-01-23 | CVE-2020-7940 | Missing password strength checks on some forms in Plone 4.3 through 5.2.0 allow users to set weak passwords, leading to easier cracking. | Plone | 7.5 | ||
| 2020-01-23 | CVE-2020-7941 | A privilege escalation issue in plone.app.contenttypes in Plone 4.3 through 5.2.1 allows users to PUT (overwrite) some content without needing write permission. | Plone | 9.8 |