Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Plone
(Plone)Repositories |
• https://github.com/plone/Products.CMFPlone
• https://github.com/zopefoundation/Products.CMFCore |
#Vulnerabilities | 102 |
Date | Id | Summary | Products | Score | Patch | Annotated |
---|---|---|---|---|---|---|
2021-05-21 | CVE-2021-33510 | Plone through 5.2.4 allows remote authenticated managers to conduct SSRF attacks via an event ical URL, to read one line of a file. | Plone | 4.3 | ||
2021-05-21 | CVE-2021-33512 | Plone through 5.2.4 allows stored XSS attacks (by a Contributor) by uploading an SVG or HTML document. | Plone | 5.4 | ||
2021-05-21 | CVE-2021-33513 | Plone through 5.2.4 allows XSS via the inline_diff methods in Products.CMFDiffTool. | Plone | 5.4 | ||
2020-12-30 | CVE-2020-28736 | Plone before 5.2.3 allows XXE attacks via a feature that is protected by an unapplied permission of plone.schemaeditor.ManageSchemata (therefore, only available to the Manager role). | Plone | 8.8 | ||
2020-12-30 | CVE-2020-28735 | Plone before 5.2.3 allows SSRF attacks via the tracebacks feature (only available to the Manager role). | Plone | 8.8 | ||
2020-12-30 | CVE-2020-28734 | Plone before 5.2.3 allows XXE attacks via a feature that is explicitly only available to the Manager role. | Plone | 8.8 | ||
2020-12-17 | CVE-2020-35190 | The official plone Docker images before version of 4.3.18-alpine (Alpine specific) contain a blank password for a root user. System using the plone docker container deployed by affected versions of the docker image may allow a remote attacker to achieve root access with a blank password. | Plone | 9.8 | ||
2020-01-23 | CVE-2020-7937 | An XSS issue in the title field in Plone 5.0 through 5.2.1 allows users with a certain privilege level to insert JavaScript that will be executed when other users access the site. | Plone | N/A | ||
2020-01-23 | CVE-2020-7939 | SQL Injection in DTML or in connection objects in Plone 4.0 through 5.2.1 allows users to perform unwanted SQL queries. (This is a problem in Zope.) | Plone | N/A | ||
2020-01-23 | CVE-2020-7940 | Missing password strength checks on some forms in Plone 4.3 through 5.2.0 allow users to set weak passwords, leading to easier cracking. | Plone | N/A |