CVE-2021-33507
Description
Zope Products.CMFCore before 2.5.1 and Products.PluggableAuthService before 2.6.2, as used in Plone through 5.2.4 and other products, allow Reflected XSS.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Reflected XSS in Zope Products.CMFCore and Products.PluggableAuthService allows remote attackers to inject arbitrary web scripts via crafted requests.
Vulnerability
Zope Products.CMFCore before version 2.5.1 and Products.PluggableAuthService before version 2.6.2, as used in Plone through 5.2.4 and other products, contain a reflected cross-site scripting (XSS) vulnerability [1][2][3]. The vulnerability exists in the authentication and content management components, allowing injection of arbitrary web scripts or HTML via a crafted request [1].
Exploitation
The attacker requires no authentication and can send a crafted URL or request to a vulnerable Plone site [1][2]. The vulnerability is classified as reflected XSS with attack vector network and low complexity, requiring user interaction [2]. An attacker would need to trick a user into clicking a malicious link or submitting a specially crafted form [1][2].
Impact
Successful exploitation leads to arbitrary script execution in the context of the victim's browser session [1][2]. This can result in information disclosure, session hijacking, or other client-side attacks [1][2].
Mitigation
Hotfix released on 2021-05-18 addressing the issue [3]. The fix is included in Products.CMFCore version 2.5.1 and Products.PluggableAuthService version 2.6.2 [1][3]. Users should upgrade to these versions or apply the hotfix. There is no known workaround for unpatched versions [1][3].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
Products.CMFCorePyPI | < 2.5.1 | 2.5.1 |
Products.PluggableAuthServicePyPI | < 2.6.2 | 2.6.2 |
PlonePyPI | <= 5.2.4 | — |
Affected products
4- Zope Products/CMFCoredescription
- ghsa-coords3 versions
<= 5.2.4+ 2 more
- (no CPE)range: <= 5.2.4
- (no CPE)range: < 2.5.1
- (no CPE)range: < 2.6.2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-35rg-466w-77h3ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-33507ghsaADVISORY
- www.openwall.com/lists/oss-security/2021/05/22/1ghsamailing-listx_refsource_MLISTWEB
- github.com/pypa/advisory-database/tree/main/vulns/plone/PYSEC-2021-79.yamlghsaWEB
- plone.org/security/hotfix/20210518/reflected-xss-in-various-spotsghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.