CVE-2021-33513
Description
Plone through 5.2.4 allows XSS via the inline_diff methods in Products.CMFDiffTool.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Plone through 5.2.4 is vulnerable to cross-site scripting (XSS) via the inline_diff methods in Products.CMFDiffTool, allowing an attacker to inject arbitrary JavaScript.
Vulnerability
The vulnerability is a cross-site scripting (XSS) issue in the inline_diff methods of the Products.CMFDiffTool module in Plone CMS. Affected versions include all supported Plone versions up to 5.2.4 and earlier 4.3.x releases [1][3]. The flaw allows an attacker to inject malicious scripts that are executed when a user views a diff comparison.
Exploitation
An attacker with the ability to create or modify content (e.g., a contributor or editor) can inject malicious HTML/JavaScript into content fields that are later compared using the inline diff functionality. When an administrator or other user views the diff, the injected script executes in their browser session. No special network position is required beyond standard web access.
Impact
Successful exploitation leads to arbitrary JavaScript execution in the context of the victim's session. This can result in session hijacking, defacement, or theft of sensitive information. The attacker gains the same privileges as the victim user, potentially escalating to full administrative control if the victim is an administrator.
Mitigation
Plone released a security hotfix on May 18, 2021 (hotfix 20210518) that addresses this vulnerability [3]. Users should apply the hotfix immediately. No workaround is available for unpatched versions. The vulnerability affects all supported Plone versions; earlier unsupported versions may also be vulnerable but the hotfix has not been tested on them [3].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
PlonePyPI | <= 5.2.4 | — |
Affected products
2- Plone/Plonedescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-fj67-w3m4-rfmpghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-33513ghsaADVISORY
- www.openwall.com/lists/oss-security/2021/05/22/1ghsamailing-listx_refsource_MLISTWEB
- github.com/pypa/advisory-database/tree/main/vulns/plone/PYSEC-2021-85.yamlghsaWEB
- plone.org/security/hotfix/20210518/xss-vulnerability-in-cmfdifftoolghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.