CVE-2020-28734
Description
Plone before 5.2.3 allows XXE attacks via a feature that is explicitly only available to the Manager role.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Plone before 5.2.3 allows authenticated Manager users to exploit an XML External Entity (XXE) vulnerability in a privileged feature, leading to file disclosure or SSRF.
Vulnerability
Overview
CVE-2020-28734 is an XML External Entity (XXE) vulnerability in Plone, a content management system. The flaw exists in a feature that is explicitly restricted to users with the Manager role. The root cause is improper handling of XML input, allowing external entities to be processed without validation [1][2].
Exploitation
Conditions
Exploitation requires an authenticated user with the Manager role. The attacker must have access to a Plone feature that processes XML data. No additional privileges or network position beyond standard Manager access are needed. The attack complexity is low, as the vulnerable functionality is designed for administrative use [1][3].
Impact
A successful XXE attack can lead to disclosure of local files on the server, server-side request forgery (SSRF), or denial of service. The impact is limited to Manager-level users, but given the high privileges of that role, the consequences can be severe, including exposure of sensitive configuration or data [1][4].
Mitigation
The vulnerability is fixed in Plone version 5.2.3. Users running earlier versions should upgrade immediately. No workarounds are documented; the feature is intentionally Manager-only, so restricting Manager access is a partial mitigation but not a complete fix [2][3].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
PlonePyPI | < 5.2.3 | 5.2.3 |
plone.app.eventPyPI | < 3.2.10 | 3.2.10 |
plone.app.themingPyPI | < 4.1.6 | 4.1.6 |
plone.app.dexterityPyPI | < 2.6.8 | 2.6.8 |
plone.supermodelPyPI | < 1.6.3 | 1.6.3 |
Affected products
6- Plone/Plonedescription
- ghsa-coords5 versionspkg:pypi/plonepkg:pypi/plone.app.dexteritypkg:pypi/plone.app.eventpkg:pypi/plone.app.themingpkg:pypi/plone.supermodel
< 5.2.3+ 4 more
- (no CPE)range: < 5.2.3
- (no CPE)range: < 2.6.8
- (no CPE)range: < 3.2.10
- (no CPE)range: < 4.1.6
- (no CPE)range: < 1.6.3
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- github.com/advisories/GHSA-wq6x-g685-w5f2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-28734ghsaADVISORY
- dist.plone.org/release/5.2.3/RELEASE-NOTES.txtghsax_refsource_CONFIRMWEB
- github.com/plone/Products.CMFPlone/issues/3209ghsax_refsource_MISCWEB
- github.com/pypa/advisory-database/tree/main/vulns/plone/PYSEC-2020-246.yamlghsaWEB
- www.misakikata.com/codes/plone/python-en.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.