Vulnerabilities > Plone

DATE CVE VULNERABILITY TITLE RISK
2020-12-30 CVE-2020-28736 XXE vulnerability in Plone
Plone before 5.2.3 allows XXE attacks via a feature that is protected by an unapplied permission of plone.schemaeditor.ManageSchemata (therefore, only available to the Manager role).
network
low complexity
plone CWE-611
6.5
2020-12-30 CVE-2020-28735 Server-Side Request Forgery (SSRF) vulnerability in Plone
Plone before 5.2.3 allows SSRF attacks via the tracebacks feature (only available to the Manager role).
network
low complexity
plone CWE-918
6.5
2020-12-30 CVE-2020-28734 XXE vulnerability in Plone
Plone before 5.2.3 allows XXE attacks via a feature that is explicitly only available to the Manager role.
network
low complexity
plone CWE-611
6.5
2020-12-17 CVE-2020-35190 Missing Authentication for Critical Function vulnerability in Plone
The official plone Docker images before version of 4.3.18-alpine (Alpine specific) contain a blank password for a root user.
network
low complexity
plone CWE-306
critical
10.0
2020-01-23 CVE-2020-7941 Improper Privilege Management vulnerability in Plone
A privilege escalation issue in plone.app.contenttypes in Plone 4.3 through 5.2.1 allows users to PUT (overwrite) some content without needing write permission.
network
low complexity
plone CWE-269
7.5
2020-01-23 CVE-2020-7940 Weak Password Requirements vulnerability in Plone
Missing password strength checks on some forms in Plone 4.3 through 5.2.0 allow users to set weak passwords, leading to easier cracking.
network
low complexity
plone CWE-521
5.0
2020-01-23 CVE-2020-7939 SQL Injection vulnerability in Plone
SQL Injection in DTML or in connection objects in Plone 4.0 through 5.2.1 allows users to perform unwanted SQL queries.
network
low complexity
plone CWE-89
6.5
2020-01-23 CVE-2020-7938 Improper Privilege Management vulnerability in Plone 5.2.0/5.2.1
plone.restapi in Plone 5.2.0 through 5.2.1 allows users with a certain privilege level to escalate their privileges up to the highest level.
network
low complexity
plone CWE-269
6.5
2020-01-23 CVE-2020-7937 Cross-Site Scripting vulnerability in Plone
An XSS issue in the title field in Plone 5.0 through 5.2.1 allows users with a certain privilege level to insert JavaScript that will be executed when other users access the site.
network
plone CWE-79
3.5
2020-01-23 CVE-2020-7936 Open Redirect vulnerability in Plone
An open redirect on the login form (and possibly other places) in Plone 4.0 through 5.2.1 allows an attacker to craft a link to a Plone Site that, when followed, and possibly after login, will redirect to an attacker's site.
network
plone CWE-601
5.8