CVE-2020-28736
HIGHPlone < 5.2.3 - Authenticated XML External Entity Injection via Schema Editor
Title source: llmDescription
Plone before 5.2.3 allows XXE attacks via a feature that is protected by an unapplied permission of plone.schemaeditor.ManageSchemata (therefore, only available to the Manager role).
References (3)
Core 3
Core References
Broken Link x_refsource_misc
https://www.misakikata.com/codes/plone/python-en.html
Patch, Third Party Advisory x_refsource_misc
https://github.com/plone/Products.CMFPlone/issues/3209
Release Notes, Vendor Advisory x_refsource_confirm
https://dist.plone.org/release/5.2.3/RELEASE-NOTES.txt
Scores
CVSS v3
8.8
EPSS
0.0107
EPSS Percentile
60.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-611
Status
published
Products (6)
plone/plone
< 5.2.3
pypi/Plone
0 - 5.2.3PyPI
pypi/plone.app.dexterity
0 - 2.6.8PyPI
pypi/plone.app.event
0 - 3.2.10PyPI
pypi/plone.app.theming
0 - 4.1.6PyPI
pypi/plone.supermodel
0 - 1.6.3PyPI
Published
Dec 30, 2020
Tracked Since
Feb 18, 2026