CVE-2020-7939
published 2020-01-23CVE-2020-7939: SQL Injection in DTML or in connection objects in Plone 4.0 through 5.2.1 allows users to perform unwanted SQL queries. (This is a problem in Zope.)
PriorityP349high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
1.21%
64.7th percentile
SQL Injection in DTML or in connection objects in Plone 4.0 through 5.2.1 allows users to perform unwanted SQL queries. (This is a problem in Zope.)
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| plone | plone | >= 4.0 < 5.2.2 | 5.2.2 |
| plone | plone | 4.0 – 5.2.1 | — |
| plone | plone | 4.0.0 – 5.2.1 | — |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
vendor_redhat8.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Plone SQL Injection Vulnerability
osv·2022-05-24
CVE-2020-7939 [HIGH] Plone SQL Injection Vulnerability
Plone SQL Injection Vulnerability
SQL Injection in DTML or in connection objects in Plone 4.0 through 5.2.1 allows users to perform unwanted SQL queries. (This is a problem in Zope.)
GHSA
Plone SQL Injection Vulnerability
ghsa·2022-05-24
CVE-2020-7939 [HIGH] CWE-89 Plone SQL Injection Vulnerability
Plone SQL Injection Vulnerability
SQL Injection in DTML or in connection objects in Plone 4.0 through 5.2.1 allows users to perform unwanted SQL queries. (This is a problem in Zope.)
OSV
CVE-2020-7939: SQL Injection in DTML or in connection objects in Plone 4
osv·2020-01-23
CVE-2020-7939 CVE-2020-7939: SQL Injection in DTML or in connection objects in Plone 4
SQL Injection in DTML or in connection objects in Plone 4.0 through 5.2.1 allows users to perform unwanted SQL queries. (This is a problem in Zope.)
Red Hat
plone: SQL injection due to insufficient SQL quoting in DTML or in connection objects
vendor_redhat·2020-01-23·CVSS 8.8
CVE-2020-7939 [HIGH] CWE-89 plone: SQL injection due to insufficient SQL quoting in DTML or in connection objects
plone: SQL injection due to insufficient SQL quoting in DTML or in connection objects
SQL Injection in DTML or in connection objects in Plone 4.0 through 5.2.1 allows users to perform unwanted SQL queries. (This is a problem in Zope.)
Package: conga (Red Hat Enterprise Linux 5) - Out of support scope
No detection rules found.
No public exploits indexed.
http://www.openwall.com/lists/oss-security/2020/01/24/1https://plone.org/security/hotfix/20200121https://plone.org/security/hotfix/20200121/sql-injection-in-dtml-or-in-connection-objectshttps://www.openwall.com/lists/oss-security/2020/01/22/1http://www.openwall.com/lists/oss-security/2020/01/24/1https://plone.org/security/hotfix/20200121https://plone.org/security/hotfix/20200121/sql-injection-in-dtml-or-in-connection-objectshttps://www.openwall.com/lists/oss-security/2020/01/22/1
2020-01-23
Published