Vulnerabilities > CVE-2020-28736 - XXE vulnerability in Plone
Attack vector
NETWORK Attack complexity
LOW Privileges required
LOW Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
Plone before 5.2.3 allows XXE attacks via a feature that is protected by an unapplied permission of plone.schemaeditor.ManageSchemata (therefore, only available to the Manager role).
Vulnerable Configurations
Common Weakness Enumeration (CWE)
References
- https://dist.plone.org/release/5.2.3/RELEASE-NOTES.txt
- https://dist.plone.org/release/5.2.3/RELEASE-NOTES.txt
- https://github.com/plone/Products.CMFPlone/issues/3209
- https://github.com/plone/Products.CMFPlone/issues/3209
- https://www.misakikata.com/codes/plone/python-en.html
- https://www.misakikata.com/codes/plone/python-en.html