CVE-2021-33511
Description
Plone though 5.2.4 allows SSRF via the lxml parser. This affects Diazo themes, Dexterity TTW schemas, and modeleditors in plone.app.theming, plone.app.dexterity, and plone.supermodel.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Plone through 5.2.4 allows SSRF via lxml parser in Diazo themes, Dexterity TTW schemas, and modeleditors, enabling internal network access.
Vulnerability
Plone through version 5.2.4 contains a server-side request forgery (SSRF) vulnerability in the lxml parser. This affects components that parse user-controlled XML: Diazo themes in plone.app.theming, Dexterity through-the-web (TTW) schemas in plone.app.dexterity, and modeleditors in plone.supermodel. An attacker with the ability to provide crafted XML input to these components can trigger the SSRF. [1]
Exploitation
An attacker needs to be able to supply a malicious XML document that is processed by the lxml parser. This requires authenticated access with sufficient privileges to edit Diazo themes, Dexterity TTW schemas, or modeleditor configurations. The attacker crafts an XML external entity (XXE) or other SSRF payload to force the server to make requests to internal or external resources. [1]
Impact
Successful exploitation allows the attacker to perform SSRF, potentially accessing internal network services, reading sensitive data from internal systems, or conducting reconnaissance. This could lead to further compromise of the internal infrastructure. [1]
Mitigation
A security hotfix was released on May 18, 2021, addressing this vulnerability. All supported Plone versions (4.3.20 and earlier 4.3.x, 5.2.4 and earlier 5.x) are affected. Users should apply the hotfix or upgrade to a patched version. No workaround is available. [4]
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
PlonePyPI | <= 5.2.4 | — |
Affected products
2- Plone/Plonedescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-gc9g-67cq-p7v4ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-33511ghsaADVISORY
- www.openwall.com/lists/oss-security/2021/05/22/1ghsamailing-listx_refsource_MLISTWEB
- github.com/pypa/advisory-database/tree/main/vulns/plone/PYSEC-2021-83.yamlghsaWEB
- plone.org/security/hotfix/20210518/server-side-request-forgery-via-lxml-parserghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.