Vulnerabilities > Plone > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-12-30 | CVE-2020-28736 | XXE vulnerability in Plone Plone before 5.2.3 allows XXE attacks via a feature that is protected by an unapplied permission of plone.schemaeditor.ManageSchemata (therefore, only available to the Manager role). | 6.5 |
| 2020-12-30 | CVE-2020-28735 | Server-Side Request Forgery (SSRF) vulnerability in Plone Plone before 5.2.3 allows SSRF attacks via the tracebacks feature (only available to the Manager role). | 6.5 |
| 2020-12-30 | CVE-2020-28734 | XXE vulnerability in Plone Plone before 5.2.3 allows XXE attacks via a feature that is explicitly only available to the Manager role. | 6.5 |
| 2020-01-23 | CVE-2020-7940 | Weak Password Requirements vulnerability in Plone Missing password strength checks on some forms in Plone 4.3 through 5.2.0 allow users to set weak passwords, leading to easier cracking. | 5.0 |
| 2020-01-23 | CVE-2020-7939 | SQL Injection vulnerability in Plone SQL Injection in DTML or in connection objects in Plone 4.0 through 5.2.1 allows users to perform unwanted SQL queries. | 6.5 |
| 2020-01-23 | CVE-2020-7938 | Improper Privilege Management vulnerability in Plone 5.2.0/5.2.1 plone.restapi in Plone 5.2.0 through 5.2.1 allows users with a certain privilege level to escalate their privileges up to the highest level. | 6.5 |
| 2020-01-23 | CVE-2020-7936 | Open Redirect vulnerability in Plone An open redirect on the login form (and possibly other places) in Plone 4.0 through 5.2.1 allows an attacker to craft a link to a Plone Site that, when followed, and possibly after login, will redirect to an attacker's site. | 5.8 |
| 2020-01-02 | CVE-2013-7062 | Cross-site Scripting vulnerability in Plone Multiple cross-site scripting (XSS) vulnerabilities in Zope, as used in Plone 3.3.x through 3.3.6, 4.0.x through 4.0.9, 4.1.x through 4.1.6, 4.2.x through 4.2.7, and 4.3 through 4.3.2, allow remote attackers to inject arbitrary web script or HTML via unspecified input in the (1) browser_id_manager or (2) OFS.Image method. | 4.3 |
| 2018-01-03 | CVE-2017-1000484 | Open Redirect vulnerability in Plone By linking to a specific url in Plone 2.5-5.1rc1 with a parameter, an attacker could send you to his own website. | 5.8 |
| 2018-01-03 | CVE-2017-1000483 | Unspecified vulnerability in Plone Accessing private content via str.format in through-the-web templates and scripts in Plone 2.5-5.1rc1. | 4.0 |