Product:
Plone
(Plone)| Repositories |
• https://github.com/plone/Products.CMFPlone
• https://github.com/zopefoundation/Products.CMFCore |
| #Vulnerabilities | 87 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2021-03-24 | CVE-2021-29002 | A stored cross-site scripting (XSS) vulnerability in Plone CMS 5.2.3 exists in site-controlpanel via the "form.widgets.site_title" parameter. | Plone | 5.4 | ||
| 2020-12-30 | CVE-2020-28736 | Plone before 5.2.3 allows XXE attacks via a feature that is protected by an unapplied permission of plone.schemaeditor.ManageSchemata (therefore, only available to the Manager role). | Plone | 8.8 | ||
| 2020-12-30 | CVE-2020-28735 | Plone before 5.2.3 allows SSRF attacks via the tracebacks feature (only available to the Manager role). | Plone | 8.8 | ||
| 2020-12-30 | CVE-2020-28734 | Plone before 5.2.3 allows XXE attacks via a feature that is explicitly only available to the Manager role. | Plone | 8.8 | ||
| 2020-12-17 | CVE-2020-35190 | The official plone Docker images before version of 4.3.18-alpine (Alpine specific) contain a blank password for a root user. System using the plone docker container deployed by affected versions of the docker image may allow a remote attacker to achieve root access with a blank password. | Plone | 9.8 | ||
| 2020-01-23 | CVE-2020-7938 | plone.restapi in Plone 5.2.0 through 5.2.1 allows users with a certain privilege level to escalate their privileges up to the highest level. | Plone | N/A | ||
| 2020-01-23 | CVE-2020-7937 | An XSS issue in the title field in Plone 5.0 through 5.2.1 allows users with a certain privilege level to insert JavaScript that will be executed when other users access the site. | Plone | N/A | ||
| 2020-01-23 | CVE-2020-7939 | SQL Injection in DTML or in connection objects in Plone 4.0 through 5.2.1 allows users to perform unwanted SQL queries. (This is a problem in Zope.) | Plone | N/A | ||
| 2020-01-23 | CVE-2020-7941 | A privilege escalation issue in plone.app.contenttypes in Plone 4.3 through 5.2.1 allows users to PUT (overwrite) some content without needing write permission. | Plone | N/A | ||
| 2020-01-23 | CVE-2020-7940 | Missing password strength checks on some forms in Plone 4.3 through 5.2.0 allow users to set weak passwords, leading to easier cracking. | Plone | N/A |