PyPI package
plone
pkg:pypi/plone
Vulnerabilities (100)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-22889 | — | <= 6.0.9 | — | Mar 5, 2024 | Due to incorrect access control in Plone version v6.0.9, remote attackers can view and list all files hosted on the website via sending a crafted request. | ||
| CVE-2024-0669 | — | < 6.0.7 | 6.0.7 | Jan 18, 2024 | A Cross-Frame Scripting vulnerability has been found on Plone CMS affecting verssion below 6.0.5. An attacker could store a malicious URL to be opened by an administrator and execute a malicios iframe element. | ||
| CVE-2021-33926 | — | >= 4.3, < 5.2.5 | 5.2.5 | Feb 17, 2023 | An issue in Plone CMS v. 5.2.4, 5.2.3, 5.2.2, 5.2.1, 5.2.0, 5.1rc2, 5.1rc1, 5.1b4, 5.1b3, 5.1b2, 5.1a2, 5.1a1, 5.1.7, 5.1.6, 5.1.5, 5.1.4, 5.1.2, 5.1.1 5.1, 5.0rc3, 5.0rc2, 5.0rc1, 5.0.9, 5.0.8, 5.0.7, 5.0.6, 5.0.5, 5.0.4, 5.0.3, 5.0.2, 5.0.10, 5.0.1, 5.0, 4.3.9, 4.3.8, 4.3.7, 4. | ||
| CVE-2021-35959 | — | >= 5.0, <= 5.2.4 | — | Jun 30, 2021 | In Plone 5.0 through 5.2.4, Editors are vulnerable to XSS in the folder contents view, if a Contributor has created a folder with a SCRIPT tag in the description field. | ||
| CVE-2021-33507 | — | <= 5.2.4 | — | May 21, 2021 | Zope Products.CMFCore before 2.5.1 and Products.PluggableAuthService before 2.6.2, as used in Plone through 5.2.4 and other products, allow Reflected XSS. | ||
| CVE-2021-33508 | — | <= 5.2.4 | — | May 21, 2021 | Plone through 5.2.4 allows XSS via a full name that is mishandled during rendering of the ownership tab of a content item. | ||
| CVE-2021-33509 | — | < 5.2.5 | 5.2.5 | May 21, 2021 | Plone through 5.2.4 allows remote authenticated managers to perform disk I/O via crafted keyword arguments to the ReStructuredText transform in a Python script. | ||
| CVE-2021-33510 | — | <= 5.2.4 | — | May 21, 2021 | Plone through 5.2.4 allows remote authenticated managers to conduct SSRF attacks via an event ical URL, to read one line of a file. | ||
| CVE-2021-33511 | — | <= 5.2.4 | — | May 21, 2021 | Plone though 5.2.4 allows SSRF via the lxml parser. This affects Diazo themes, Dexterity TTW schemas, and modeleditors in plone.app.theming, plone.app.dexterity, and plone.supermodel. | ||
| CVE-2021-33512 | — | <= 5.2.4 | — | May 21, 2021 | Plone through 5.2.4 allows stored XSS attacks (by a Contributor) by uploading an SVG or HTML document. | ||
| CVE-2021-33513 | — | <= 5.2.4 | — | May 21, 2021 | Plone through 5.2.4 allows XSS via the inline_diff methods in Products.CMFDiffTool. | ||
| CVE-2021-3313 | — | < 5.2.4 | 5.2.4 | May 20, 2021 | Plone CMS until version 5.2.4 has a stored Cross-Site Scripting (XSS) vulnerability in the user fullname property and the file upload functionality. The user's input data is not properly encoded when being echoed back to the user. This data can be interpreted as executable code b | ||
| CVE-2021-29002 | — | <= 5.2.3 | — | Mar 24, 2021 | A stored cross-site scripting (XSS) vulnerability in Plone CMS 5.2.3 exists in site-controlpanel via the "form.widgets.site_title" parameter. | ||
| CVE-2020-28736 | — | < 5.2.3 | 5.2.3 | Dec 30, 2020 | Plone before 5.2.3 allows XXE attacks via a feature that is protected by an unapplied permission of plone.schemaeditor.ManageSchemata (therefore, only available to the Manager role). | ||
| CVE-2020-28735 | — | < 5.2.3 | 5.2.3 | Dec 30, 2020 | Plone before 5.2.3 allows SSRF attacks via the tracebacks feature (only available to the Manager role). | ||
| CVE-2020-28734 | — | < 5.2.3 | 5.2.3 | Dec 30, 2020 | Plone before 5.2.3 allows XXE attacks via a feature that is explicitly only available to the Manager role. | ||
| CVE-2020-7936 | — | >= 4.0, < 4.3.20 | 4.3.20 | Jan 23, 2020 | An open redirect on the login form (and possibly other places) in Plone 4.0 through 5.2.1 allows an attacker to craft a link to a Plone Site that, when followed, and possibly after login, will redirect to an attacker's site. | ||
| CVE-2020-7937 | — | >= 5.0, <= 5.2.1 | — | Jan 23, 2020 | An XSS issue in the title field in Plone 5.0 through 5.2.1 allows users with a certain privilege level to insert JavaScript that will be executed when other users access the site. | ||
| CVE-2020-7938 | — | >= 5.2.0, < 5.2.2 | 5.2.2 | Jan 23, 2020 | plone.restapi in Plone 5.2.0 through 5.2.1 allows users with a certain privilege level to escalate their privileges up to the highest level. | ||
| CVE-2020-7939 | — | >= 4.0, <= 5.2.1 | — | Jan 23, 2020 | SQL Injection in DTML or in connection objects in Plone 4.0 through 5.2.1 allows users to perform unwanted SQL queries. (This is a problem in Zope.) |
- CVE-2024-22889Mar 5, 2024affected <= 6.0.9
Due to incorrect access control in Plone version v6.0.9, remote attackers can view and list all files hosted on the website via sending a crafted request.
- CVE-2024-0669Jan 18, 2024affected < 6.0.7fixed 6.0.7
A Cross-Frame Scripting vulnerability has been found on Plone CMS affecting verssion below 6.0.5. An attacker could store a malicious URL to be opened by an administrator and execute a malicios iframe element.
- CVE-2021-33926Feb 17, 2023affected >= 4.3, < 5.2.5fixed 5.2.5
An issue in Plone CMS v. 5.2.4, 5.2.3, 5.2.2, 5.2.1, 5.2.0, 5.1rc2, 5.1rc1, 5.1b4, 5.1b3, 5.1b2, 5.1a2, 5.1a1, 5.1.7, 5.1.6, 5.1.5, 5.1.4, 5.1.2, 5.1.1 5.1, 5.0rc3, 5.0rc2, 5.0rc1, 5.0.9, 5.0.8, 5.0.7, 5.0.6, 5.0.5, 5.0.4, 5.0.3, 5.0.2, 5.0.10, 5.0.1, 5.0, 4.3.9, 4.3.8, 4.3.7, 4.
- CVE-2021-35959Jun 30, 2021affected >= 5.0, <= 5.2.4
In Plone 5.0 through 5.2.4, Editors are vulnerable to XSS in the folder contents view, if a Contributor has created a folder with a SCRIPT tag in the description field.
- CVE-2021-33507May 21, 2021affected <= 5.2.4
Zope Products.CMFCore before 2.5.1 and Products.PluggableAuthService before 2.6.2, as used in Plone through 5.2.4 and other products, allow Reflected XSS.
- CVE-2021-33508May 21, 2021affected <= 5.2.4
Plone through 5.2.4 allows XSS via a full name that is mishandled during rendering of the ownership tab of a content item.
- CVE-2021-33509May 21, 2021affected < 5.2.5fixed 5.2.5
Plone through 5.2.4 allows remote authenticated managers to perform disk I/O via crafted keyword arguments to the ReStructuredText transform in a Python script.
- CVE-2021-33510May 21, 2021affected <= 5.2.4
Plone through 5.2.4 allows remote authenticated managers to conduct SSRF attacks via an event ical URL, to read one line of a file.
- CVE-2021-33511May 21, 2021affected <= 5.2.4
Plone though 5.2.4 allows SSRF via the lxml parser. This affects Diazo themes, Dexterity TTW schemas, and modeleditors in plone.app.theming, plone.app.dexterity, and plone.supermodel.
- CVE-2021-33512May 21, 2021affected <= 5.2.4
Plone through 5.2.4 allows stored XSS attacks (by a Contributor) by uploading an SVG or HTML document.
- CVE-2021-33513May 21, 2021affected <= 5.2.4
Plone through 5.2.4 allows XSS via the inline_diff methods in Products.CMFDiffTool.
- CVE-2021-3313May 20, 2021affected < 5.2.4fixed 5.2.4
Plone CMS until version 5.2.4 has a stored Cross-Site Scripting (XSS) vulnerability in the user fullname property and the file upload functionality. The user's input data is not properly encoded when being echoed back to the user. This data can be interpreted as executable code b
- CVE-2021-29002Mar 24, 2021affected <= 5.2.3
A stored cross-site scripting (XSS) vulnerability in Plone CMS 5.2.3 exists in site-controlpanel via the "form.widgets.site_title" parameter.
- CVE-2020-28736Dec 30, 2020affected < 5.2.3fixed 5.2.3
Plone before 5.2.3 allows XXE attacks via a feature that is protected by an unapplied permission of plone.schemaeditor.ManageSchemata (therefore, only available to the Manager role).
- CVE-2020-28735Dec 30, 2020affected < 5.2.3fixed 5.2.3
Plone before 5.2.3 allows SSRF attacks via the tracebacks feature (only available to the Manager role).
- CVE-2020-28734Dec 30, 2020affected < 5.2.3fixed 5.2.3
Plone before 5.2.3 allows XXE attacks via a feature that is explicitly only available to the Manager role.
- CVE-2020-7936Jan 23, 2020affected >= 4.0, < 4.3.20fixed 4.3.20
An open redirect on the login form (and possibly other places) in Plone 4.0 through 5.2.1 allows an attacker to craft a link to a Plone Site that, when followed, and possibly after login, will redirect to an attacker's site.
- CVE-2020-7937Jan 23, 2020affected >= 5.0, <= 5.2.1
An XSS issue in the title field in Plone 5.0 through 5.2.1 allows users with a certain privilege level to insert JavaScript that will be executed when other users access the site.
- CVE-2020-7938Jan 23, 2020affected >= 5.2.0, < 5.2.2fixed 5.2.2
plone.restapi in Plone 5.2.0 through 5.2.1 allows users with a certain privilege level to escalate their privileges up to the highest level.
- CVE-2020-7939Jan 23, 2020affected >= 4.0, <= 5.2.1
SQL Injection in DTML or in connection objects in Plone 4.0 through 5.2.1 allows users to perform unwanted SQL queries. (This is a problem in Zope.)
Page 1 of 5