Description Plone before 5.2.3 allows XXE attacks via a feature that is explicitly only available to the Manager role. Remediation References CVE-2020-28734 Related Vulnerabilities WordPress Plugin Zoho CRM Lead Magnet Cross-Site Scripting (1.6.9.1) WordPress Plugin Aspose DOC Exporter Arbitrary File Download (1.0) Liferay Portal Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2017-12647) Apache HTTP Server CVE-2009-1191 Vulnerability (CVE-2009-1191) WebLogic Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2020-11022) Severity High Classification CVE-2020-28734 CWE-611 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Tags Missing Update Known Vulnerabilities