CVE-2024-23054

CRITICAL

Plone Docker Official Image - Uncontrolled Search Path

Title source: rule

Description

An issue in Plone Docker Official Image 5.2.13 (5221) open-source software that could allow for remote code execution due to a package listed in ++plone++static/components not existing in the public package index (npm).

References (3)

[Not Applicable] http://plone.com

[Product] http://ploneorg.com

[Exploit, Third Party Advisory] https://github.com/c0d3x27/CVEs/blob/main/CVE-2024-23054/README.md

View Exploit ZIP pw:eip

Scores

CVSS v3 9.8

EPSS 0.0391

EPSS Percentile 88.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-427

Status published

Affected Products (1)

plone/plone_docker_official_image

Timeline

Published Feb 05, 2024

Tracked Since Feb 18, 2026