Vulnerabilities > Plone
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-12-30 | CVE-2020-28736 | XXE vulnerability in Plone Plone before 5.2.3 allows XXE attacks via a feature that is protected by an unapplied permission of plone.schemaeditor.ManageSchemata (therefore, only available to the Manager role). | 6.5 |
| 2020-12-30 | CVE-2020-28735 | Server-Side Request Forgery (SSRF) vulnerability in Plone Plone before 5.2.3 allows SSRF attacks via the tracebacks feature (only available to the Manager role). | 6.5 |
| 2020-12-30 | CVE-2020-28734 | XXE vulnerability in Plone Plone before 5.2.3 allows XXE attacks via a feature that is explicitly only available to the Manager role. | 6.5 |
| 2020-12-17 | CVE-2020-35190 | Missing Authentication for Critical Function vulnerability in Plone The official plone Docker images before version of 4.3.18-alpine (Alpine specific) contain a blank password for a root user. | 10.0 |
| 2020-01-23 | CVE-2020-7941 | Improper Privilege Management vulnerability in Plone A privilege escalation issue in plone.app.contenttypes in Plone 4.3 through 5.2.1 allows users to PUT (overwrite) some content without needing write permission. | 7.5 |
| 2020-01-23 | CVE-2020-7940 | Weak Password Requirements vulnerability in Plone Missing password strength checks on some forms in Plone 4.3 through 5.2.0 allow users to set weak passwords, leading to easier cracking. | 5.0 |
| 2020-01-23 | CVE-2020-7939 | SQL Injection vulnerability in Plone SQL Injection in DTML or in connection objects in Plone 4.0 through 5.2.1 allows users to perform unwanted SQL queries. | 6.5 |
| 2020-01-23 | CVE-2020-7938 | Improper Privilege Management vulnerability in Plone 5.2.0/5.2.1 plone.restapi in Plone 5.2.0 through 5.2.1 allows users with a certain privilege level to escalate their privileges up to the highest level. | 6.5 |
| 2020-01-23 | CVE-2020-7937 | Cross-Site Scripting vulnerability in Plone An XSS issue in the title field in Plone 5.0 through 5.2.1 allows users with a certain privilege level to insert JavaScript that will be executed when other users access the site. | 3.5 |
| 2020-01-23 | CVE-2020-7936 | Open Redirect vulnerability in Plone An open redirect on the login form (and possibly other places) in Plone 4.0 through 5.2.1 allows an attacker to craft a link to a Plone Site that, when followed, and possibly after login, will redirect to an attacker's site. | 5.8 |