GHSA-2c8c-84w2-j38j
Suggest an improvement- Source
- https://github.com/advisories/GHSA-2c8c-84w2-j38j
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-2c8c-84w2-j38j/GHSA-2c8c-84w2-j38j.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-2c8c-84w2-j38j
- Aliases
- Published
- 2021-04-07T21:14:00Z
- Modified
- 2024-10-16T02:43:25.113537Z
- Severity
-
- 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- Improper Restriction of XML External Entity Reference in Plone
- Details
-
Plone before 5.2.3 allows XXE attacks via a feature that is protected by an unapplied permission of plone.schemaeditor.ManageSchemata (therefore, only available to the Manager role).
- Database specific
{ "severity": "HIGH", "github_reviewed_at": "2021-04-07T19:33:49Z", "github_reviewed": true, "nvd_published_at": "2020-12-30T19:15:00Z", "cwe_ids": [ "CWE-611" ] }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2020-28736
- https://github.com/plone/Products.CMFPlone/issues/3209
- https://dist.plone.org/release/5.2.3/RELEASE-NOTES.txt
- https://github.com/advisories/GHSA-2c8c-84w2-j38j
- https://github.com/pypa/advisory-database/tree/main/vulns/plone/PYSEC-2020-248.yaml
- https://www.misakikata.com/codes/plone/python-en.html
Affected packages
PyPI / plone
Package
- Name
- plone
- View open source insights on deps.dev
- Purl
- pkg:pypi/plone
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed5.2.3
Affected versions
3.*
3.2a1
3.2rc1
3.2
3.2.1
3.2.2
3.2.3
3.3b1
3.3rc1
3.3rc2
3.3rc3
3.3rc4
3.3rc5
3.3
3.3.1
3.3.2
3.3.3
3.3.4
3.3.5
3.3.6
4.*
4.0a1
4.0a2
4.0a3
4.0a4
4.0a5
4.0b1
4.0b2
4.0b3
4.0b4
4.0b5
4.0rc1
4.0
4.0.1
4.0.2
4.0.3
4.0.4
4.0.5
4.0.6
4.0.7
4.0.8
4.0.9
4.0.10
4.1a1
4.1a2
4.1a3
4.1b1
4.1b2
4.1rc2
4.1rc3
4.1
4.1.1
4.1.2
4.1.3
4.1.4
4.1.5
4.1.6
4.2a1
4.2a2
4.2b1
4.2b2
4.2rc1
4.2rc2
4.2
4.2.1
4.2.2
4.2.3
4.2.4
4.2.5
4.2.6
4.2.7
4.3a1
4.3a2
4.3b1
4.3b2
4.3rc1
4.3
4.3.1
4.3.2
4.3.3
4.3.4
4.3.5
4.3.6
4.3.7
4.3.8
4.3.9
4.3.10
4.3.11
4.3.12
4.3.13
4.3.14
4.3.15
4.3.16
4.3.17
4.3.18
4.3.19
4.3.20
5.*
5.0a1
5.0a2
5.0a3
5.0b1
5.0b2
5.0b3
5.0b4
5.0rc1
5.0rc2
5.0rc3
5.0
5.0.1
5.0.2
5.0.3
5.0.4
5.0.5
5.0.6
5.0.7
5.0.8
5.0.9
5.0.10
5.1a1
5.1a2
5.1b1
5.1b2
5.1b3
5.1b4
5.1rc1
5.1rc2
5.1.0
5.1.1
5.1.2
5.1.3
5.1.4
5.1.5
5.1.6
5.1.7
5.2a1
5.2a2
5.2b1
5.2rc1
5.2rc2
5.2rc3
5.2rc4
5.2rc5
5.2.0
5.2.1
5.2.2
PyPI / plone-app-event
Package
- Name
- plone-app-event
- View open source insights on deps.dev
- Purl
- pkg:pypi/plone-app-event
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed3.2.10
Affected versions
1.*
1.0a1
1.0a2
1.0b1
1.0b2
1.0b3
1.0b4
1.0b5
1.0b6
1.0b7
1.0b8
1.0rc1
1.0rc2
1.0rc3
1.0
1.0.1
1.0.2
1.0.3
1.0.4
1.0.5
1.0.6
1.1.a1
1.1b1
1.1
1.1.1
1.1.2
1.1.3
1.1.4
1.1.5
1.1.6
1.1.7
1.1.8
1.1.10
1.1.11
1.1.12
1.1.13
1.2
1.2.1
1.2.2
1.2.3
1.2.4
1.2.5
1.2.6
1.2.7
2.*
2.0a1
2.0a2
2.0a3
2.0a4
2.0a5
2.0a6
2.0a7
2.0a8
2.0a9
2.0a10
2.0a11
2.0a12
2.0a13
2.0b1
2.0b2
2.0
2.0.1
2.0.2
2.0.3
2.0.4
2.0.5
2.0.6
2.0.7
2.0.8
2.0.9
2.0.10
2.0.11
2.0.12
2.0.13
2.0.14
2.0.15
3.*
3.0
3.0.1
3.0.2
3.0.3
3.0.4
3.0.5
3.0.6
3.0.7
3.1
3.1.1
3.2.0
3.2.1
3.2.2
3.2.3
3.2.4
3.2.5
3.2.6
3.2.7
3.2.8
3.2.9
PyPI / plone-app-theming
Package
- Name
- plone-app-theming
- View open source insights on deps.dev
- Purl
- pkg:pypi/plone-app-theming
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed4.1.6
Affected versions
1.*
1.0b1
1.0b2
1.0b3
1.0b4
1.0b5
1.0b6
1.0b7
1.0b8
1.0b9
1.0
1.0.1
1.0.2
1.0.3
1.0.4
1.1a1
1.1a2
1.1b1
1.1b2
1.1
1.1.1
1.1.2
1.1.3
1.1.4
1.1.5
1.1.6
1.1.7
1.1.8
1.2.0
1.2.1
1.2.2
1.2.3
1.2.4
1.2.5
1.2.6
1.2.7
1.2.8
1.2.9
1.2.10
1.2.11
1.2.12
1.2.13
1.2.14
1.2.15
1.2.16
1.2.17
1.2.18
1.2.19
1.3.0
1.3.1
1.3.2
1.3.3
1.3.4
1.3.5
1.3.6
2.*
2.0
2.0.1
2.0.2
2.0.3
2.0.4
2.0.5
3.*
3.0.0
3.0.1
4.*
4.0.0
4.0.1
4.0.2
4.0.3
4.0.4
4.0.5
4.0.6
4.1.0
4.1.1
4.1.2
4.1.3
4.1.4
4.1.5
PyPI / plone-app-dexterity
Package
- Name
- plone-app-dexterity
- View open source insights on deps.dev
- Purl
- pkg:pypi/plone-app-dexterity
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed2.6.8
Affected versions
1.*
1.0a1
1.0a2
1.0a3
1.0a4
1.0a5
1.0a6
1.0a7
1.0b1
1.0b2
1.0b3
1.0b4
1.0rc1
1.0
1.0.1
1.0.2
1.0.3
1.1
1.2
1.2.1
1.2.2
2.*
2.0
2.0.1
2.0.2
2.0.3
2.0.4
2.0.5
2.0.6
2.0.7
2.0.8
2.0.9
2.0.10
2.0.11
2.0.12
2.0.13
2.0.14
2.0.15
2.0.16
2.0.17
2.0.18
2.0.19
2.1.0
2.1.1
2.1.2
2.1.3
2.1.4
2.1.5
2.1.6
2.1.7
2.1.8
2.1.9
2.1.10
2.1.11
2.1.12
2.1.13
2.1.14
2.1.15
2.1.16
2.1.17
2.1.18
2.1.19
2.1.20
2.2.0
2.3.0
2.3.1
2.3.2
2.3.3
2.3.4
2.3.5
2.3.6
2.3.7
2.3.8
2.3.9
2.4.0
2.4.1
2.4.2
2.4.3
2.4.4
2.4.5
2.4.6
2.4.7
2.4.8
2.4.9
2.4.10
2.5.0
2.5.1
2.5.2
2.5.3
2.6.0
2.6.1
2.6.2
2.6.3
2.6.4
2.6.5
2.6.6
2.6.7
PyPI / plone-supermodel
Package
- Name
- plone-supermodel
- View open source insights on deps.dev
- Purl
- pkg:pypi/plone-supermodel
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed1.6.3