Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by vendor Plone Subscribe
Total 108 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2021-33507 2 Plone, Zope 2 Plone, Zope 2021-05-27 4.3 MEDIUM 6.1 MEDIUM
Zope Products.CMFCore before 2.5.1 and Products.PluggableAuthService before 2.6.2, as used in Plone through 5.2.4 and other products, allow Reflected XSS.
CVE-2021-3313 1 Plone 1 Plone 2021-05-25 3.5 LOW 5.4 MEDIUM
Plone CMS until version 5.2.4 has a stored Cross-Site Scripting (XSS) vulnerability in the user fullname property and the file upload functionality. The user's input data is not properly encoded when being echoed back to the user. This data can be interpreted as executable code by the browser and allows an attacker to execute JavaScript in the context of the victim's browser if the victim opens a vulnerable page containing an XSS payload.
CVE-2021-33513 1 Plone 1 Plone 2021-05-24 3.5 LOW 5.4 MEDIUM
Plone through 5.2.4 allows XSS via the inline_diff methods in Products.CMFDiffTool.
CVE-2021-33512 1 Plone 1 Plone 2021-05-24 3.5 LOW 5.4 MEDIUM
Plone through 5.2.4 allows stored XSS attacks (by a Contributor) by uploading an SVG or HTML document.
CVE-2021-33511 1 Plone 1 Plone 2021-05-24 5.0 MEDIUM 7.5 HIGH
Plone though 5.2.4 allows SSRF via the lxml parser. This affects Diazo themes, Dexterity TTW schemas, and modeleditors in plone.app.theming, plone.app.dexterity, and plone.supermodel.
CVE-2021-33510 1 Plone 1 Plone 2021-05-24 4.0 MEDIUM 4.3 MEDIUM
Plone through 5.2.4 allows remote authenticated managers to conduct SSRF attacks via an event ical URL, to read one line of a file.
CVE-2021-33509 1 Plone 1 Plone 2021-05-24 8.5 HIGH 9.9 CRITICAL
Plone through 5.2.4 allows remote authenticated managers to perform disk I/O via crafted keyword arguments to the ReStructuredText transform in a Python script.
CVE-2021-33508 1 Plone 1 Plone 2021-05-24 3.5 LOW 5.4 MEDIUM
Plone through 5.2.4 allows XSS via a full name that is mishandled during rendering of the ownership tab of a content item.
CVE-2020-28734 1 Plone 1 Plone 2021-01-04 6.5 MEDIUM 8.8 HIGH
Plone before 5.2.3 allows XXE attacks via a feature that is explicitly only available to the Manager role.
CVE-2020-28735 1 Plone 1 Plone 2021-01-04 6.5 MEDIUM 8.8 HIGH
Plone before 5.2.3 allows SSRF attacks via the tracebacks feature (only available to the Manager role).
CVE-2020-28736 1 Plone 1 Plone 2021-01-04 6.5 MEDIUM 8.8 HIGH
Plone before 5.2.3 allows XXE attacks via a feature that is protected by an unapplied permission of plone.schemaeditor.ManageSchemata (therefore, only available to the Manager role).
CVE-2020-35190 1 Plone 1 Plone 2020-12-18 10.0 HIGH 9.8 CRITICAL
The official plone Docker images before version of 4.3.18-alpine (Alpine specific) contain a blank password for a root user. System using the plone docker container deployed by affected versions of the docker image may allow a remote attacker to achieve root access with a blank password.
CVE-2020-7937 1 Plone 1 Plone 2020-01-24 3.5 LOW 5.4 MEDIUM
An XSS issue in the title field in Plone 5.0 through 5.2.1 allows users with a certain privilege level to insert JavaScript that will be executed when other users access the site.
CVE-2020-7939 1 Plone 1 Plone 2020-01-24 6.5 MEDIUM 8.8 HIGH
SQL Injection in DTML or in connection objects in Plone 4.0 through 5.2.1 allows users to perform unwanted SQL queries. (This is a problem in Zope.)
CVE-2020-7940 1 Plone 1 Plone 2020-01-24 5.0 MEDIUM 7.5 HIGH
Missing password strength checks on some forms in Plone 4.3 through 5.2.0 allow users to set weak passwords, leading to easier cracking.
CVE-2020-7936 1 Plone 1 Plone 2020-01-24 5.8 MEDIUM 6.1 MEDIUM
An open redirect on the login form (and possibly other places) in Plone 4.0 through 5.2.1 allows an attacker to craft a link to a Plone Site that, when followed, and possibly after login, will redirect to an attacker's site.
CVE-2013-7062 1 Plone 1 Plone 2020-01-09 4.3 MEDIUM 6.1 MEDIUM
Multiple cross-site scripting (XSS) vulnerabilities in Zope, as used in Plone 3.3.x through 3.3.6, 4.0.x through 4.0.9, 4.1.x through 4.1.6, 4.2.x through 4.2.7, and 4.3 through 4.3.2, allow remote attackers to inject arbitrary web script or HTML via unspecified input in the (1) browser_id_manager or (2) OFS.Image method.
CVE-2017-5524 1 Plone 1 Plone 2019-10-02 4.0 MEDIUM 4.3 MEDIUM
Plone 4.x through 4.3.11 and 5.x through 5.0.6 allow remote attackers to bypass a sandbox protection mechanism and obtain sensitive information by leveraging the Python string format method.
CVE-2017-1000483 1 Plone 1 Plone 2019-10-02 4.0 MEDIUM 6.5 MEDIUM
Accessing private content via str.format in through-the-web templates and scripts in Plone 2.5-5.1rc1. This improves an earlier hotfix. Since the format method was introduced in Python 2.6, this part of the hotfix is only relevant for Plone 4 and 5.
CVE-2008-0164 1 Plone 1 Plone Cms 2018-10-15 4.3 MEDIUM N/A
Multiple cross-site request forgery (CSRF) vulnerabilities in Plone CMS 3.0.5 and 3.0.6 allow remote attackers to (1) add arbitrary accounts via the join_form page and (2) change the privileges of arbitrary groups via the prefs_groups_overview page.