Product:

Plone

(Plone)
Repositories https://github.com/plone/Products.CMFPlone
https://github.com/zopefoundation/Products.CMFCore
#Vulnerabilities 102
Date Id Summary Products Score Patch Annotated
2021-05-21 CVE-2021-33510 Plone through 5.2.4 allows remote authenticated managers to conduct SSRF attacks via an event ical URL, to read one line of a file. Plone 4.3
2021-05-21 CVE-2021-33512 Plone through 5.2.4 allows stored XSS attacks (by a Contributor) by uploading an SVG or HTML document. Plone 5.4
2021-05-21 CVE-2021-33513 Plone through 5.2.4 allows XSS via the inline_diff methods in Products.CMFDiffTool. Plone 5.4
2020-12-30 CVE-2020-28736 Plone before 5.2.3 allows XXE attacks via a feature that is protected by an unapplied permission of plone.schemaeditor.ManageSchemata (therefore, only available to the Manager role). Plone 8.8
2020-12-30 CVE-2020-28735 Plone before 5.2.3 allows SSRF attacks via the tracebacks feature (only available to the Manager role). Plone 8.8
2020-12-30 CVE-2020-28734 Plone before 5.2.3 allows XXE attacks via a feature that is explicitly only available to the Manager role. Plone 8.8
2020-12-17 CVE-2020-35190 The official plone Docker images before version of 4.3.18-alpine (Alpine specific) contain a blank password for a root user. System using the plone docker container deployed by affected versions of the docker image may allow a remote attacker to achieve root access with a blank password. Plone 9.8
2020-01-23 CVE-2020-7937 An XSS issue in the title field in Plone 5.0 through 5.2.1 allows users with a certain privilege level to insert JavaScript that will be executed when other users access the site. Plone N/A
2020-01-23 CVE-2020-7939 SQL Injection in DTML or in connection objects in Plone 4.0 through 5.2.1 allows users to perform unwanted SQL queries. (This is a problem in Zope.) Plone N/A
2020-01-23 CVE-2020-7940 Missing password strength checks on some forms in Plone 4.3 through 5.2.0 allow users to set weak passwords, leading to easier cracking. Plone N/A