CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2021-3313
https://notcve.org/view.php?id=CVE-2021-3313
Plone CMS until version 5.2.4 has a stored Cross-Site Scripting (XSS) vulnerability in the user fullname property and the file upload functionality. The user's input data is not properly encoded when being echoed back to the user. This data can be interpreted as executable code by the browser and allows an attacker to execute JavaScript in the context of the victim's browser if the victim opens a vulnerable page containing an XSS payload. Plone CMS hasta versión 5.2.4 presenta una vulnerabilidad de tipo Cross-Site Scripting (XSS) almacenada en la propiedad de nombre completo del usuario y en la funcionalidad file upload. Los datos de entrada del usuario no están codificados correctamente cuando son devueltos al usuario. • http://www.openwall.com/lists/oss-security/2021/05/22/1 https://plone.org/download/releases/5.2.3 https://plone.org/security/hotfix/20210518 https://www.compass-security.com/fileadmin/Research/Advisories/2021-07_CSNC-2021-013_XSS_in_Plone_CMS.txt • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2020-28736
https://notcve.org/view.php?id=CVE-2020-28736
Plone before 5.2.3 allows XXE attacks via a feature that is protected by an unapplied permission of plone.schemaeditor.ManageSchemata (therefore, only available to the Manager role). Plone versiones anteriores a 5.2.3, permite ataques de tipo XXE por medio de una funcionalidad que está protegida por un permiso no aplicado de plone.schemaeditor.ManageSchemata (por lo tanto, solo está disponible para el rol de Administrador). • https://dist.plone.org/release/5.2.3/RELEASE-NOTES.txt https://github.com/plone/Products.CMFPlone/issues/3209 https://www.misakikata.com/codes/plone/python-en.html • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2020-28735
https://notcve.org/view.php?id=CVE-2020-28735
Plone before 5.2.3 allows SSRF attacks via the tracebacks feature (only available to the Manager role). Plone versiones anteriores a 5.2.3, permite ataques de tipo SSRF por medio de la funcionalidad tracebacks (solo disponible para el rol de administrador). • https://dist.plone.org/release/5.2.3/RELEASE-NOTES.txt https://github.com/plone/Products.CMFPlone/issues/3209 https://www.misakikata.com/codes/plone/python-en.html • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2020-28734
https://notcve.org/view.php?id=CVE-2020-28734
Plone before 5.2.3 allows XXE attacks via a feature that is explicitly only available to the Manager role. Plone versiones anteriores a 5.2.3, permite ataques de tipo XXE por medio de una funcionalidad que solo está disponible explícitamente para el rol de administrador. • https://dist.plone.org/release/5.2.3/RELEASE-NOTES.txt https://github.com/plone/Products.CMFPlone/issues/3209 https://www.misakikata.com/codes/plone/python-en.html • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 5.4EPSS: 0%CPEs: 7EXPL: 0CVE-2017-1000482
https://notcve.org/view.php?id=CVE-2017-1000482
A member of the Plone 2.5-5.1rc1 site could set javascript in the home_page property of his profile, and have this executed when a visitor click the home page link on the author page. Un miembro del sitio de Plone 2.5-5.1rc1 podría introducir JavaScript en la propiedad home_page de su perfil, y hacer que se ejecute cuando un visitante hace clic en el enlace de la página de inicio en la página del autor. • https://plone.org/security/hotfix/20171128/xss-using-the-home_page-member-property • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •