Vulnerabilities > Plone > Plone > 4.3.11

DATE CVE VULNERABILITY TITLE RISK
2021-05-20 CVE-2021-3313 Cross-site Scripting vulnerability in Plone
Plone CMS until version 5.2.4 has a stored Cross-Site Scripting (XSS) vulnerability in the user fullname property and the file upload functionality.
network
plone CWE-79
3.5
3.5
2021-03-08 CVE-2021-21336 Information Exposure vulnerability in multiple products
Products.PluggableAuthService is a pluggable Zope authentication and authorization framework.
network
low complexity
zope plone CWE-200
4.0
4.0
2020-12-30 CVE-2020-28736 XXE vulnerability in Plone
Plone before 5.2.3 allows XXE attacks via a feature that is protected by an unapplied permission of plone.schemaeditor.ManageSchemata (therefore, only available to the Manager role).
network
low complexity
plone CWE-611
6.5
6.5
2020-12-30 CVE-2020-28735 Server-Side Request Forgery (SSRF) vulnerability in Plone
Plone before 5.2.3 allows SSRF attacks via the tracebacks feature (only available to the Manager role).
network
low complexity
plone CWE-918
6.5
6.5
2020-12-30 CVE-2020-28734 XXE vulnerability in Plone
Plone before 5.2.3 allows XXE attacks via a feature that is explicitly only available to the Manager role.
network
low complexity
plone CWE-611
6.5
6.5
2020-12-17 CVE-2020-35190 Missing Authentication for Critical Function vulnerability in Plone
The official plone Docker images before version of 4.3.18-alpine (Alpine specific) contain a blank password for a root user.
network
low complexity
plone CWE-306
critical
 10.0
10
2020-01-23 CVE-2020-7941 Improper Privilege Management vulnerability in Plone
A privilege escalation issue in plone.app.contenttypes in Plone 4.3 through 5.2.1 allows users to PUT (overwrite) some content without needing write permission.
network
low complexity
plone CWE-269
7.5
7.5
2020-01-23 CVE-2020-7940 Weak Password Requirements vulnerability in Plone
Missing password strength checks on some forms in Plone 4.3 through 5.2.0 allow users to set weak passwords, leading to easier cracking.
network
low complexity
plone CWE-521
5.0
5.0
2020-01-23 CVE-2020-7939 SQL Injection vulnerability in Plone
SQL Injection in DTML or in connection objects in Plone 4.0 through 5.2.1 allows users to perform unwanted SQL queries.
network
low complexity
plone CWE-89
6.5
6.5
2020-01-23 CVE-2020-7936 Open Redirect vulnerability in Plone
An open redirect on the login form (and possibly other places) in Plone 4.0 through 5.2.1 allows an attacker to craft a link to a Plone Site that, when followed, and possibly after login, will redirect to an attacker's site.
network
plone CWE-601
5.8
5.8