Cross-Frame Scripting (XFS) on Plone CMS
Description
A Cross-Frame Scripting vulnerability has been found on Plone CMS affecting verssion below 6.0.5. An attacker could store a malicious URL to be opened by an administrator and execute a malicios iframe element.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A Cross-Frame Scripting (XFS) vulnerability in Plone CMS below 6.0.5 allows stored malicious URLs to execute iframe elements when opened by an administrator.
CVE-2024-0669 is a Cross-Frame Scripting (XFS) vulnerability affecting Plone CMS versions below 6.0.5. The vulnerability is classified under CWE-1021 and has a CVSS v3.1 base score of 6.3 [3]. The root cause is improper restriction of frame or iframe execution, allowing an attacker to inject a malicious iframe via a stored URL.
To exploit this vulnerability, an attacker must have low privileges and store a malicious URL that later requires an administrator to open it. The attack vector is network-based with low complexity, and no user interaction beyond the administrator opening the link is required [3].
Successful exploitation allows an attacker to execute a malicious iframe, leading to limited impacts on confidentiality, integrity, and availability [3].
The issue has been addressed by the vendor in Plone CMS version 6.0.7. Users are advised to update to this or later versions to mitigate the risk [3].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
PlonePyPI | < 6.0.7 | 6.0.7 |
Affected products
2- Plone CMS/Plone CMSv5Range: 6.0.5
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3News mentions
0No linked articles in our index yet.