Description
Plone before 5.2.3 allows XXE attacks via a feature that is protected by an unapplied permission of plone.schemaeditor.ManageSchemata (therefore, only available to the Manager role).
Remediation
References
Related Vulnerabilities
WordPress Plugin Ultimate Google Analytics Cross-Site Request Forgery (1.6.0)
PHP Data Processing Errors Vulnerability (CVE-2015-4026)
Jboss EAP Deserialization of Untrusted Data Vulnerability (CVE-2019-10086)
Microsoft SQL Server CVE-2023-21528 Vulnerability (CVE-2023-21528)
Drupal Permissions, Privileges, and Access Controls Vulnerability (CVE-2008-4789)