Filtered by vendor Plone
Subscriptions
Total
114 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2016-4042 | 1 Plone | 1 Plone | 2024-08-06 | N/A |
Plone 3.3 through 5.1a1 allows remote attackers to obtain information about the ID of sensitive content via unspecified vectors. | ||||
CVE-2017-5524 | 1 Plone | 1 Plone | 2024-08-05 | N/A |
Plone 4.x through 4.3.11 and 5.x through 5.0.6 allow remote attackers to bypass a sandbox protection mechanism and obtain sensitive information by leveraging the Python string format method. | ||||
CVE-2020-35190 | 1 Plone | 1 Plone | 2024-08-04 | 9.8 Critical |
The official plone Docker images before version of 4.3.18-alpine (Alpine specific) contain a blank password for a root user. System using the plone docker container deployed by affected versions of the docker image may allow a remote attacker to achieve root access with a blank password. | ||||
CVE-2020-28735 | 1 Plone | 1 Plone | 2024-08-04 | 8.8 High |
Plone before 5.2.3 allows SSRF attacks via the tracebacks feature (only available to the Manager role). | ||||
CVE-2020-28736 | 1 Plone | 1 Plone | 2024-08-04 | 8.8 High |
Plone before 5.2.3 allows XXE attacks via a feature that is protected by an unapplied permission of plone.schemaeditor.ManageSchemata (therefore, only available to the Manager role). | ||||
CVE-2020-28734 | 1 Plone | 1 Plone | 2024-08-04 | 8.8 High |
Plone before 5.2.3 allows XXE attacks via a feature that is explicitly only available to the Manager role. | ||||
CVE-2020-7938 | 1 Plone | 1 Plone | 2024-08-04 | 8.8 High |
plone.restapi in Plone 5.2.0 through 5.2.1 allows users with a certain privilege level to escalate their privileges up to the highest level. | ||||
CVE-2020-7940 | 1 Plone | 1 Plone | 2024-08-04 | 7.5 High |
Missing password strength checks on some forms in Plone 4.3 through 5.2.0 allow users to set weak passwords, leading to easier cracking. | ||||
CVE-2020-7941 | 1 Plone | 1 Plone | 2024-08-04 | 9.8 Critical |
A privilege escalation issue in plone.app.contenttypes in Plone 4.3 through 5.2.1 allows users to PUT (overwrite) some content without needing write permission. | ||||
CVE-2020-7939 | 1 Plone | 1 Plone | 2024-08-04 | 8.8 High |
SQL Injection in DTML or in connection objects in Plone 4.0 through 5.2.1 allows users to perform unwanted SQL queries. (This is a problem in Zope.) | ||||
CVE-2020-7936 | 1 Plone | 1 Plone | 2024-08-04 | 6.1 Medium |
An open redirect on the login form (and possibly other places) in Plone 4.0 through 5.2.1 allows an attacker to craft a link to a Plone Site that, when followed, and possibly after login, will redirect to an attacker's site. | ||||
CVE-2020-7937 | 1 Plone | 1 Plone | 2024-08-04 | 5.4 Medium |
An XSS issue in the title field in Plone 5.0 through 5.2.1 allows users with a certain privilege level to insert JavaScript that will be executed when other users access the site. | ||||
CVE-2021-35959 | 1 Plone | 1 Plone | 2024-08-04 | 5.4 Medium |
In Plone 5.0 through 5.2.4, Editors are vulnerable to XSS in the folder contents view, if a Contributor has created a folder with a SCRIPT tag in the description field. | ||||
CVE-2021-33926 | 1 Plone | 1 Plone | 2024-08-04 | 8.8 High |
An issue in Plone CMS v. 5.2.4, 5.2.3, 5.2.2, 5.2.1, 5.2.0, 5.1rc2, 5.1rc1, 5.1b4, 5.1b3, 5.1b2, 5.1a2, 5.1a1, 5.1.7, 5.1.6, 5.1.5, 5.1.4, 5.1.2, 5.1.1 5.1, 5.0rc3, 5.0rc2, 5.0rc1, 5.0.9, 5.0.8, 5.0.7, 5.0.6, 5.0.5, 5.0.4, 5.0.3, 5.0.2, 5.0.10, 5.0.1, 5.0, 4.3.9, 4.3.8, 4.3.7, 4.3.6, 4.3.5, 4.3.4, 4.3.3, 4.3.20, 4 allows attacker to access sensitive information via the RSS feed protlet. | ||||
CVE-2021-33512 | 1 Plone | 1 Plone | 2024-08-03 | 5.4 Medium |
Plone through 5.2.4 allows stored XSS attacks (by a Contributor) by uploading an SVG or HTML document. | ||||
CVE-2021-33509 | 1 Plone | 1 Plone | 2024-08-03 | 9.9 Critical |
Plone through 5.2.4 allows remote authenticated managers to perform disk I/O via crafted keyword arguments to the ReStructuredText transform in a Python script. | ||||
CVE-2021-33507 | 2 Plone, Zope | 2 Plone, Zope | 2024-08-03 | 6.1 Medium |
Zope Products.CMFCore before 2.5.1 and Products.PluggableAuthService before 2.6.2, as used in Plone through 5.2.4 and other products, allow Reflected XSS. | ||||
CVE-2021-33510 | 1 Plone | 1 Plone | 2024-08-03 | 4.3 Medium |
Plone through 5.2.4 allows remote authenticated managers to conduct SSRF attacks via an event ical URL, to read one line of a file. | ||||
CVE-2021-33511 | 1 Plone | 1 Plone | 2024-08-03 | 7.5 High |
Plone though 5.2.4 allows SSRF via the lxml parser. This affects Diazo themes, Dexterity TTW schemas, and modeleditors in plone.app.theming, plone.app.dexterity, and plone.supermodel. | ||||
CVE-2021-33513 | 1 Plone | 1 Plone | 2024-08-03 | 5.4 Medium |
Plone through 5.2.4 allows XSS via the inline_diff methods in Products.CMFDiffTool. |