CVE-2020-28735
Description
Plone before 5.2.3 allows SSRF attacks via the tracebacks feature (only available to the Manager role).
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Plone before 5.2.3 allows Server-Side Request Forgery (SSRF) via the tracebacks feature, which is only available to authenticated users with the Manager role.
Root
Cause
The vulnerability is a Server-Side Request Forgery (SSRF) flaw in Plone, a content management system built on Zope/CMF. The issue exists in the tracebacks feature, which allows users with the Manager role to view detailed error traces. The feature fails to sanitize or validate URLs or network requests, enabling an attacker to make arbitrary HTTP requests from the server. This is documented in the official advisory and NVD entry [1][2].
Exploitation
Exploitation requires an authenticated user with the Manager role, as the tracebacks feature is restricted to that role [1]. The attack vector is network-based (AV:N) and has low attack complexity (AC:L), meaning no unusual conditions are needed [1]. The attacker can craft a request that triggers a traceback, then use the feature to make the server send requests to internal or external systems.
Impact
Successful exploitation allows the attacker to perform SSRF, which can lead to information disclosure by accessing internal services (e.g., cloud metadata endpoints), scanning internal networks, or interacting with other systems not intended to be exposed [3][4]. The CVSS score is 9.1 (Critical) due to high impact on confidentiality, integrity, and availability [1][2].
Mitigation
Plone 5.2.3 and later versions contain a fix for this vulnerability [2]. Users should upgrade to Plone 5.2.3 or newer immediately. No workaround is documented beyond restricting Manager role access if upgrade is not possible.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
PlonePyPI | < 5.2.3 | 5.2.3 |
plone.app.eventPyPI | < 3.2.10 | 3.2.10 |
plone.app.themingPyPI | < 4.1.6 | 4.1.6 |
plone.app.dexterityPyPI | < 2.6.8 | 2.6.8 |
plone.supermodelPyPI | < 1.6.3 | 1.6.3 |
Affected products
6- Plone/Plonedescription
- ghsa-coords5 versionspkg:pypi/plonepkg:pypi/plone.app.dexteritypkg:pypi/plone.app.eventpkg:pypi/plone.app.themingpkg:pypi/plone.supermodel
< 5.2.3+ 4 more
- (no CPE)range: < 5.2.3
- (no CPE)range: < 2.6.8
- (no CPE)range: < 3.2.10
- (no CPE)range: < 4.1.6
- (no CPE)range: < 1.6.3
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- github.com/advisories/GHSA-x7wf-5mjc-6x76ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-28735ghsaADVISORY
- dist.plone.org/release/5.2.3/RELEASE-NOTES.txtghsax_refsource_CONFIRMWEB
- github.com/plone/Products.CMFPlone/issues/3209ghsax_refsource_MISCWEB
- github.com/pypa/advisory-database/tree/main/vulns/plone/PYSEC-2020-247.yamlghsaWEB
- www.misakikata.com/codes/plone/python-en.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.