CVE-2020-28736
Description
Plone before 5.2.3 allows XXE attacks via a feature that is protected by an unapplied permission of plone.schemaeditor.ManageSchemata (therefore, only available to the Manager role).
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Plone before 5.2.3 is vulnerable to XXE attacks via the schema editor, exploitable only by Manager role due to unapplied permission.
Vulnerability
Overview
CVE-2020-28736 describes an XML External Entity (XXE) vulnerability in Plone, a content management system, affecting versions before 5.2.3. The flaw resides in a feature protected by the plone.schemaeditor.ManageSchemata permission, which is unapplied in the default configuration, meaning only users with the Manager role can access it [1][2]. The root cause is improper handling of XML input within this feature, allowing external entity injection.
Exploitation
To exploit this vulnerability, an attacker must already possess the Manager role in the Plone instance. With that privilege, they can craft malicious XML data that includes references to external entities. When processed by the vulnerable schema editor, the XML parser resolves these entities, leading to XXE [1][3]. No other authentication or network position is required beyond Manager access.
Impact
Successful exploitation can result in information disclosure, server-side request forgery (SSRF), or denial of service, depending on the capabilities of the XML parser and the server environment [2][4]. The CVSS score is not yet provided by NVD, but the GitHub Advisory notes high severity due to the potential for sensitive data exposure.
Mitigation
The vulnerability is fixed in Plone version 5.2.3 and later. Users running earlier versions should upgrade immediately. No workarounds are documented, and the feature is only accessible to Managers, which limits the attack surface but does not eliminate the risk if Manager accounts are compromised [1][4].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
PlonePyPI | < 5.2.3 | 5.2.3 |
plone.app.eventPyPI | < 3.2.10 | 3.2.10 |
plone.app.themingPyPI | < 4.1.6 | 4.1.6 |
plone.app.dexterityPyPI | < 2.6.8 | 2.6.8 |
plone.supermodelPyPI | < 1.6.3 | 1.6.3 |
Affected products
6- Plone/Plonedescription
- ghsa-coords5 versionspkg:pypi/plonepkg:pypi/plone.app.dexteritypkg:pypi/plone.app.eventpkg:pypi/plone.app.themingpkg:pypi/plone.supermodel
< 5.2.3+ 4 more
- (no CPE)range: < 5.2.3
- (no CPE)range: < 2.6.8
- (no CPE)range: < 3.2.10
- (no CPE)range: < 4.1.6
- (no CPE)range: < 1.6.3
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- github.com/advisories/GHSA-2c8c-84w2-j38jghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-28736ghsaADVISORY
- dist.plone.org/release/5.2.3/RELEASE-NOTES.txtghsax_refsource_CONFIRMWEB
- github.com/plone/Products.CMFPlone/issues/3209ghsax_refsource_MISCWEB
- github.com/pypa/advisory-database/tree/main/vulns/plone/PYSEC-2020-248.yamlghsaWEB
- www.misakikata.com/codes/plone/python-en.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.