CVE-2021-33510

Vulnerability

Plone versions through 5.2.4 (and all earlier 4.3.x versions) contain a server-side request forgery (SSRF) vulnerability in the event ical URL handling. A remote authenticated user with the Manager role can trigger the Plone instance to make a request to an attacker-controlled URL, allowing the reading of one line of a file on the server [1][2][4].

Exploitation

An attacker must have valid Manager-level credentials to the Plone instance. The attack involves creating or modifying an event and setting its ical URL to point to an external or internal resource (e.g., a local file URL). When Plone processes the event, the server fetches the supplied URL and displays the first line of the response, effectively leaking the first line of the targeted file [1][2][4]. No user interaction beyond the authenticated manager's action is required.

Impact

Successful exploitation enables the attacker to read one line of any file accessible by the Plone process, potentially leaking sensitive information such as configuration files, credentials, or other data. The scope is limited to a single line per request, but repeated requests against different files or subsequent lines may be possible [1][2][4].

Mitigation

The Plone security hotfix 20210518 addresses this vulnerability. Administrators should apply the hotfix immediately. No supported version is unaffected; older unsupported versions may be affected but the hotfix has not been tested on them [4]. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog at this time.