Known Vulnerabilities for products from Plone
Listed below are 20 of the newest known vulnerabilities associated with the vendor "Plone".
These CVEs are retrieved based on exact matches on listed vendor information (CPE data) as well as a keyword search to ensure the newest vulnerabilities with no officially listed vendor information are still displayed.
Data on known vulnerable products is also displayed based on information from known CPEs, each product links to its respective vulnerability page.
Known Vulnerabilities
| CVE | Shortened Description | Severity | Publish Date | Last Modified |
|---|---|---|---|---|
| CVE-2022-24740 | ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new secur... | 7.5 - HIGH | 2022-03-14 | 2022-03-22 |
| CVE-2022-23599 | Products.ATContentTypes are the core content types for Plone 2.1 - 4.3. Versions of Plone that are dependent on Products.ATCo... | 6.1 - MEDIUM | 2022-01-28 | 2023-06-27 |
| CVE-2021-35959 | In Plone 5.0 through 5.2.4, Editors are vulnerable to XSS in the folder contents view, if a Contributor has created a folder ... | 5.4 - MEDIUM | 2021-06-30 | 2021-07-02 |
| CVE-2021-33926 | ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new secur... | 8.8 - HIGH | 2023-02-17 | 2023-03-02 |
| CVE-2021-33513 | Plone through 5.2.4 allows XSS via the inline_diff methods in Products.CMFDiffTool. | 5.4 - MEDIUM | 2021-05-21 | 2021-05-24 |
| CVE-2021-33512 | Plone through 5.2.4 allows stored XSS attacks (by a Contributor) by uploading an SVG or HTML document. | 5.4 - MEDIUM | 2021-05-21 | 2021-05-24 |
| CVE-2021-33511 | Plone though 5.2.4 allows SSRF via the lxml parser. This affects Diazo themes, Dexterity TTW schemas, and modeleditors in plo... | 7.5 - HIGH | 2021-05-21 | 2021-05-24 |
| CVE-2021-33510 | Plone through 5.2.4 allows remote authenticated managers to conduct SSRF attacks via an event ical URL, to read one line of a... | 4.3 - MEDIUM | 2021-05-21 | 2021-05-24 |
| CVE-2021-33509 | Plone through 5.2.4 allows remote authenticated managers to perform disk I/O via crafted keyword arguments to the ReStructure... | 9.9 - CRITICAL | 2021-05-21 | 2021-05-24 |
| CVE-2021-33508 | Plone through 5.2.4 allows XSS via a full name that is mishandled during rendering of the ownership tab of a content item. | 5.4 - MEDIUM | 2021-05-21 | 2021-05-24 |
| CVE-2021-33507 | Zope Products.CMFCore before 2.5.1 and Products.PluggableAuthService before 2.6.2, as used in Plone through 5.2.4 and other p... | 6.1 - MEDIUM | 2021-05-21 | 2021-05-27 |
| CVE-2021-32806 | Products.isurlinportal is a replacement for isURLInPortal method in Plone. Versions of Products.isurlinportal prior to 1.2.0 ... | 6.1 - MEDIUM | 2021-08-02 | 2021-09-20 |
| CVE-2021-32633 | Zope is an open-source web application server. In Zope versions prior to 4.6 and 5.2, users can access untrusted modules indi... | 8.8 - HIGH | 2021-05-21 | 2022-04-06 |
| CVE-2021-29002 | A stored cross-site scripting (XSS) vulnerability in Plone CMS 5.2.3 exists in site-controlpanel via the "form.widgets.site_t... | 5.4 - MEDIUM | 2021-03-24 | 2021-12-08 |
| CVE-2021-21336 | Products.PluggableAuthService is a pluggable Zope authentication and authorization framework. In Products.PluggableAuthServic... | 6.5 - MEDIUM | 2021-03-08 | 2022-06-03 |
| CVE-2021-3313 | Plone CMS until version 5.2.4 has a stored Cross-Site Scripting (XSS) vulnerability in the user fullname property and the fil... | 5.4 - MEDIUM | 2021-05-20 | 2021-05-25 |
| CVE-2020-35190 | The official plone Docker images before version of 4.3.18-alpine (Alpine specific) contain a blank password for a root user. ... | 9.8 - CRITICAL | 2020-12-17 | 2020-12-18 |
| CVE-2020-28736 | Plone before 5.2.3 allows XXE attacks via a feature that is protected by an unapplied permission of plone.schemaeditor.Manage... | 8.8 - HIGH | 2020-12-30 | 2021-01-04 |
| CVE-2020-28735 | Plone before 5.2.3 allows SSRF attacks via the tracebacks feature (only available to the Manager role). | 8.8 - HIGH | 2020-12-30 | 2021-01-04 |
| CVE-2020-28734 | Plone before 5.2.3 allows XXE attacks via a feature that is explicitly only available to the Manager role. | 8.8 - HIGH | 2020-12-30 | 2021-01-04 |
Known software with vulnerabilities from Plone
| Type | Vendor | Product | Version |
|---|---|---|---|
| Application | Plone | Plone | 1.0 |