CVE-2021-3313
Description
Plone CMS until version 5.2.4 has a stored Cross-Site Scripting (XSS) vulnerability in the user fullname property and the file upload functionality. The user's input data is not properly encoded when being echoed back to the user. This data can be interpreted as executable code by the browser and allows an attacker to execute JavaScript in the context of the victim's browser if the victim opens a vulnerable page containing an XSS payload.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Plone CMS before 5.2.4 has a stored XSS in the user fullname property and file uploads, allowing authenticated remote attackers to execute JavaScript in victims' browsers.
Vulnerability
Plone CMS versions up to and including 5.2.2 and 5.2.1 (and possibly earlier) contain a stored Cross-Site Scripting (XSS) vulnerability in the user fullname property and the file upload functionality. User input data is not properly encoded when echoed back in the browser, allowing executable code to be interpreted by the browser if a victim visits a vulnerable page. The vulnerability is present in Plone 5.2.2 (5209) and 5.2.1 (5208); versions 5.2.3 and 5.2.4 were not tested in the advisory but the hotfix released on 2021-05-18 mitigates the issue [1][2].
Exploitation
An authenticated attacker (e.g., a user who can edit their own profile or upload files) can inject malicious JavaScript payloads into the fullname field or file upload metadata. When a privileged user (e.g., an administrator) views the attacker's profile or a page containing the uploaded file, the payload executes in the context of the victim's browser. The attack is remote, requires prior authentication, and can be performed with three requests in the privilege escalation scenario described in the advisory [2].
Impact
Successful exploitation enables the attacker to steal the session cookie of a higher-privileged user, leading to privilege escalation. The attacker can then deploy Plone PythonScripts, steal or manipulate user data, and redirect victims to phishing pages. The overall impact includes confidentiality loss (data theft), integrity loss (manipulation), and potential complete takeover of the targeted CMS instance [2].
Mitigation
Plone released a security hotfix on 2021-05-18 (hotfix 20210518). The fix is incorporated in Plone versions 5.2.4 (with the hotfix) and 5.2.5, and later versions. Users should upgrade to a patched version or apply the hotfix as described in the Plone security advisory [2][4]. No workaround other than the official patch is documented in the available references.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
PlonePyPI | < 5.2.4 | 5.2.4 |
Affected products
2- Plone CMS/Plone CMSdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
9- github.com/advisories/GHSA-hprr-4vfq-fcxwghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-3313ghsaADVISORY
- www.openwall.com/lists/oss-security/2021/05/22/1ghsamailing-listx_refsource_MLISTWEB
- github.com/pypa/advisory-database/tree/main/vulns/plone/PYSEC-2021-78.yamlghsaWEB
- plone.org/download/releases/5.2.3ghsax_refsource_MISCWEB
- plone.org/security/hotfix/20210518ghsax_refsource_MISCWEB
- plone.org/security/hotfix/20210518/stored-xss-from-file-upload-svg-htmlghsaWEB
- plone.org/security/hotfix/20210518/stored-xss-from-user-fullnameghsaWEB
- www.compass-security.com/fileadmin/Research/Advisories/2021-07_CSNC-2021-013_XSS_in_Plone_CMS.txtghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.