High severityNVD Advisory· Published Dec 30, 2020· Updated Aug 4, 2024
CVE-2020-28736
CVE-2020-28736
Description
Plone before 5.2.3 allows XXE attacks via a feature that is protected by an unapplied permission of plone.schemaeditor.ManageSchemata (therefore, only available to the Manager role).
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
PlonePyPI | < 5.2.3 | 5.2.3 |
plone.app.eventPyPI | < 3.2.10 | 3.2.10 |
plone.app.themingPyPI | < 4.1.6 | 4.1.6 |
plone.app.dexterityPyPI | < 2.6.8 | 2.6.8 |
plone.supermodelPyPI | < 1.6.3 | 1.6.3 |
Affected products
6- Plone/Plonedescription
- ghsa-coords5 versionspkg:pypi/plonepkg:pypi/plone.app.dexteritypkg:pypi/plone.app.eventpkg:pypi/plone.app.themingpkg:pypi/plone.supermodel
< 5.2.3+ 4 more
- (no CPE)range: < 5.2.3
- (no CPE)range: < 2.6.8
- (no CPE)range: < 3.2.10
- (no CPE)range: < 4.1.6
- (no CPE)range: < 1.6.3
Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-2c8c-84w2-j38jghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-28736ghsaADVISORY
- dist.plone.org/release/5.2.3/RELEASE-NOTES.txtghsax_refsource_CONFIRMWEB
- github.com/plone/Products.CMFPlone/issues/3209ghsax_refsource_MISCWEB
- github.com/pypa/advisory-database/tree/main/vulns/plone/PYSEC-2020-248.yamlghsaWEB
- www.misakikata.com/codes/plone/python-en.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.