Vulnerabilities > Plone > Plone > 3.3.5

DATE CVE VULNERABILITY TITLE RISK
2020-12-30 CVE-2020-28736 XXE vulnerability in Plone
Plone before 5.2.3 allows XXE attacks via a feature that is protected by an unapplied permission of plone.schemaeditor.ManageSchemata (therefore, only available to the Manager role).
network
low complexity
plone CWE-611
6.5
6.5
2020-12-30 CVE-2020-28735 Server-Side Request Forgery (SSRF) vulnerability in Plone
Plone before 5.2.3 allows SSRF attacks via the tracebacks feature (only available to the Manager role).
network
low complexity
plone CWE-918
6.5
6.5
2020-12-30 CVE-2020-28734 XXE vulnerability in Plone
Plone before 5.2.3 allows XXE attacks via a feature that is explicitly only available to the Manager role.
network
low complexity
plone CWE-611
6.5
6.5
2020-01-02 CVE-2013-7062 Cross-site Scripting vulnerability in Plone
Multiple cross-site scripting (XSS) vulnerabilities in Zope, as used in Plone 3.3.x through 3.3.6, 4.0.x through 4.0.9, 4.1.x through 4.1.6, 4.2.x through 4.2.7, and 4.3 through 4.3.2, allow remote attackers to inject arbitrary web script or HTML via unspecified input in the (1) browser_id_manager or (2) OFS.Image method.
network
plone CWE-79
4.3
4.3
2018-01-03 CVE-2017-1000484 Open Redirect vulnerability in Plone
By linking to a specific url in Plone 2.5-5.1rc1 with a parameter, an attacker could send you to his own website.
network
plone CWE-601
5.8
5.8
2018-01-03 CVE-2017-1000483 Unspecified vulnerability in Plone
Accessing private content via str.format in through-the-web templates and scripts in Plone 2.5-5.1rc1.
network
low complexity
plone
4.0
4.0
2018-01-03 CVE-2017-1000482 Cross-site Scripting vulnerability in Plone
A member of the Plone 2.5-5.1rc1 site could set javascript in the home_page property of his profile, and have this executed when a visitor click the home page link on the author page.
network
plone CWE-79
3.5
3.5
2018-01-03 CVE-2017-1000481 Open Redirect vulnerability in Plone
When you visit a page where you need to login, Plone 2.5-5.1rc1 sends you to the login form with a 'came_from' parameter set to the previous url.
network
plone CWE-601
5.8
5.8
2017-09-25 CVE-2015-7293 Cross-Site Request Forgery (CSRF) vulnerability in multiple products
Multiple cross-site request forgery (CSRF) vulnerabilities in Zope Management Interface 4.3.7 and earlier, and Plone before 5.x.
network
plone zope CWE-352
6.8
6.8
2017-09-25 CVE-2015-7318 Improper Input Validation vulnerability in Plone
Plone 3.3.0 through 3.3.6 allows remote attackers to inject headers into HTTP responses.
network
low complexity
plone CWE-20
5.0
5.0