Plone

This hub aggregates every CVE we track for Plone, a product in the oss libraries space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 15 most recently published vulnerabilities affecting Plone.

• CVE-2024-22889Due to incorrect access control in Plone version v6.0.9, remote attackers can view and list all files hosted on the website via sending a crafted request.7.5Mar 5, 2024
• CVE-2024-23756The HTTP PUT and DELETE methods are enabled in the Plone official Docker version 5.2.13 (5221), allowing unauthenticated attackers to execute dangerous actions such as uploading files to the server...7.5Feb 8, 2024
• CVE-2024-23055An issue in Plone Docker Official Image 5.2.13 (5221) open-source software allows for remote code execution via improper validation of input by the HOST headers.6.1Jan 25, 2024
• CVE-2024-0669Cross-Frame Scripting (XFS) on Plone CMS6.3Jan 18, 2024
• CVE-2021-33926An issue in Plone CMS v. 5.2.4, 5.2.3, 5.2.2, 5.2.1, 5.2.0, 5.1rc2, 5.1rc1, 5.1b4, 5.1b3, 5.1b2, 5.1a2, 5.1a1, 5.1.7, 5.1.6, 5.1.5, 5.1.4, 5.1.2, 5.1.1 5.1, 5.0rc3, 5.0rc2, 5.0rc1, 5.0.9, 5.0.8, 5....8.8Feb 17, 2023
• CVE-2022-23599Cross-site Scripting and Open Redirect in Products.ATContentTypes4.3Jan 28, 2022
• CVE-2021-35959In Plone 5.0 through 5.2.4, Editors are vulnerable to XSS in the folder contents view, if a Contributor has created a folder with a SCRIPT tag in the description field.5.4Jun 30, 2021
• CVE-2021-33507Zope Products.CMFCore before 2.5.1 and Products.PluggableAuthService before 2.6.2, as used in Plone through 5.2.4 and other products, allow Reflected XSS.6.1May 21, 2021
• CVE-2021-33508Plone through 5.2.4 allows XSS via a full name that is mishandled during rendering of the ownership tab of a content item.5.4May 21, 2021
• CVE-2021-33509Plone through 5.2.4 allows remote authenticated managers to perform disk I/O via crafted keyword arguments to the ReStructuredText transform in a Python script.9.9May 21, 2021
• CVE-2021-33510Plone through 5.2.4 allows remote authenticated managers to conduct SSRF attacks via an event ical URL, to read one line of a file.4.3May 21, 2021
• CVE-2021-33511Plone though 5.2.4 allows SSRF via the lxml parser. This affects Diazo themes, Dexterity TTW schemas, and modeleditors in plone.app.theming, plone.app.dexterity, and plone.supermodel.7.5May 21, 2021
• CVE-2021-33512Plone through 5.2.4 allows stored XSS attacks (by a Contributor) by uploading an SVG or HTML document.5.4May 21, 2021
• CVE-2021-33513Plone through 5.2.4 allows XSS via the inline_diff methods in Products.CMFDiffTool.5.4May 21, 2021
• CVE-2021-32633Remote Code Execution via traversal in TAL expressions6.8May 21, 2021