CVE-2020-28736
published 2020-12-30CVE-2020-28736: Plone before 5.2.3 allows XXE attacks via a feature that is protected by an unapplied permission of plone.schemaeditor.ManageSchemata (therefore, only…
PriorityP344high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
1.07%
60.5th percentile
Plone before 5.2.3 allows XXE attacks via a feature that is protected by an unapplied permission of plone.schemaeditor.ManageSchemata (therefore, only available to the Manager role).
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| plone | plone | < 5.2.3 | 5.2.3 |
| plone | plone | >= 0 < 5.2.3 | 5.2.3 |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Improper Restriction of XML External Entity Reference in Plone
ghsa·2021-04-07
CVE-2020-28736 [HIGH] CWE-611 Improper Restriction of XML External Entity Reference in Plone
Improper Restriction of XML External Entity Reference in Plone
Plone before 5.2.3 allows XXE attacks via a feature that is protected by an unapplied permission of plone.schemaeditor.ManageSchemata (therefore, only available to the Manager role).
OSV
Improper Restriction of XML External Entity Reference in Plone
osv·2021-04-07
CVE-2020-28736 [HIGH] Improper Restriction of XML External Entity Reference in Plone
Improper Restriction of XML External Entity Reference in Plone
Plone before 5.2.3 allows XXE attacks via a feature that is protected by an unapplied permission of plone.schemaeditor.ManageSchemata (therefore, only available to the Manager role).
OSV
CVE-2020-28736: Plone before 5
osv·2020-12-30
CVE-2020-28736 CVE-2020-28736: Plone before 5
Plone before 5.2.3 allows XXE attacks via a feature that is protected by an unapplied permission of plone.schemaeditor.ManageSchemata (therefore, only available to the Manager role).
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://dist.plone.org/release/5.2.3/RELEASE-NOTES.txthttps://github.com/plone/Products.CMFPlone/issues/3209https://www.misakikata.com/codes/plone/python-en.htmlhttps://dist.plone.org/release/5.2.3/RELEASE-NOTES.txthttps://github.com/plone/Products.CMFPlone/issues/3209https://www.misakikata.com/codes/plone/python-en.html
2020-12-30
Published