Description

Plone before 5.2.3 allows XXE attacks via a feature that is protected by an unapplied permission of plone.schemaeditor.ManageSchemata (therefore, only available to the Manager role).

Remediation

References

CVE-2020-28736

Related Vulnerabilities

WebLogic Improper Check for Unusual or Exceptional Conditions Vulnerability (CVE-2019-17195)

Django Other Vulnerability (CVE-2015-3982)

WordPress Plugin PublishPress Future: Automatically Unpublish WordPress Posts Cross-Site Scripting (2.7.0)

TYPO3 Unrestricted Upload of File with Dangerous Type Vulnerability (CVE-2021-21357)

WordPress Plugin Paytium:Mollie payment forms & donations Cross-Site Scripting (3.1.1)

Severity

High

Classification

CVE-2020-28736 CWE-611 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities