CVE-2020-7939
Description
SQL Injection in DTML or in connection objects in Plone 4.0 through 5.2.1 allows users to perform unwanted SQL queries. (This is a problem in Zope.)
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SQL injection in Plone 4.0 through 5.2.1 (via Zope's DTML or connection objects) allows authenticated users to execute arbitrary SQL queries.
Vulnerability
Overview
CVE-2020-7939 is a SQL injection vulnerability affecting Plone versions 4.0 through 5.2.1. The issue originates from Zope's DTML (Document Template Markup Language) or connection objects, which fail to properly sanitize user-supplied input before constructing SQL queries. This allows an authenticated user with sufficient privileges to inject arbitrary SQL statements.
Attack
Vector
An attacker must be an authenticated user of the Plone site who can interact with DTML templates or connection objects that execute database queries. No special network position is required; the attacker only needs standard web access to the vulnerable Plone instance. The vulnerability is triggered by crafting input that escapes the intended SQL context, enabling the injection of malicious SQL code [1][4].
Impact
Successful exploitation enables the attacker to execute arbitrary SQL queries against the underlying database. This could lead to unauthorized data retrieval, modification, or deletion, depending on the database user permissions under which Plone operates. The impact includes potential data leakage, data integrity loss, and possible further compromise of the application or database server [1][4].
Mitigation
The Plone project released a security hotfix on 2020-01-21 that addresses this vulnerability, along with several other security issues [3]. Users should apply the hotfix or upgrade to a patched version. Sites running unsupported versions are especially at risk, as no further patches are provided for those releases [1][4].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
PlonePyPI | >= 4.0, <= 5.2.1 | — |
Affected products
2- Plone/Plonedescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- github.com/advisories/GHSA-hhmf-7rgg-gcw5ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-7939ghsaADVISORY
- www.openwall.com/lists/oss-security/2020/01/24/1ghsamailing-listx_refsource_MLISTWEB
- github.com/pypa/advisory-database/tree/main/vulns/plone/PYSEC-2020-88.yamlghsaWEB
- plone.org/security/hotfix/20200121ghsax_refsource_MISCWEB
- plone.org/security/hotfix/20200121/sql-injection-in-dtml-or-in-connection-objectsghsax_refsource_MISCWEB
- www.openwall.com/lists/oss-security/2020/01/22/1ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.