Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Plone
(Plone)Repositories |
• https://github.com/plone/Products.CMFPlone
• https://github.com/zopefoundation/Products.CMFCore |
#Vulnerabilities | 102 |
Date | Id | Summary | Products | Score | Patch | Annotated |
---|---|---|---|---|---|---|
2020-12-30 | CVE-2020-28736 | Plone before 5.2.3 allows XXE attacks via a feature that is protected by an unapplied permission of plone.schemaeditor.ManageSchemata (therefore, only available to the Manager role). | Plone | 8.8 | ||
2020-12-30 | CVE-2020-28735 | Plone before 5.2.3 allows SSRF attacks via the tracebacks feature (only available to the Manager role). | Plone | 8.8 | ||
2020-12-30 | CVE-2020-28734 | Plone before 5.2.3 allows XXE attacks via a feature that is explicitly only available to the Manager role. | Plone | 8.8 | ||
2020-12-17 | CVE-2020-35190 | The official plone Docker images before version of 4.3.18-alpine (Alpine specific) contain a blank password for a root user. System using the plone docker container deployed by affected versions of the docker image may allow a remote attacker to achieve root access with a blank password. | Plone | 9.8 | ||
2020-01-23 | CVE-2020-7937 | An XSS issue in the title field in Plone 5.0 through 5.2.1 allows users with a certain privilege level to insert JavaScript that will be executed when other users access the site. | Plone | N/A | ||
2020-01-23 | CVE-2020-7939 | SQL Injection in DTML or in connection objects in Plone 4.0 through 5.2.1 allows users to perform unwanted SQL queries. (This is a problem in Zope.) | Plone | N/A | ||
2020-01-23 | CVE-2020-7940 | Missing password strength checks on some forms in Plone 4.3 through 5.2.0 allow users to set weak passwords, leading to easier cracking. | Plone | N/A | ||
2020-01-23 | CVE-2020-7936 | An open redirect on the login form (and possibly other places) in Plone 4.0 through 5.2.1 allows an attacker to craft a link to a Plone Site that, when followed, and possibly after login, will redirect to an attacker's site. | Plone | N/A | ||
2020-01-02 | CVE-2013-7062 | Multiple cross-site scripting (XSS) vulnerabilities in Zope, as used in Plone 3.3.x through 3.3.6, 4.0.x through 4.0.9, 4.1.x through 4.1.6, 4.2.x through 4.2.7, and 4.3 through 4.3.2, allow remote attackers to inject arbitrary web script or HTML via unspecified input in the (1) browser_id_manager or (2) OFS.Image method. | Plone | N/A | ||
2017-03-23 | CVE-2017-5524 | Plone 4.x through 4.3.11 and 5.x through 5.0.6 allow remote attackers to bypass a sandbox protection mechanism and obtain sensitive information by leveraging the Python string format method. | Plone | 4.3 |