2 matches found
plone-app-z3cform (>=4.0.0a1 <=4.0.0a10) potentially affected by CVE-2020-28736 via plone-app-dexterity (=2.5.2)
plone-app-dexterity PYPI version =2.5.2 is affected by a known vulnerability. The following packages have a transitive dependency on plone-app-dexterity and may be impacted: - plone-app-z3cform =4.0.0a1, =4.0.0a10 Source cves: CVE-2020-28736 Source advisory: OSV:GHSA-2C8C-84W2-J38J...
CVE-2020-28736
CVE-2020-28736 affects Plone prior to 5.2.3. A XXE vulnerability exists in a feature protected by the unapplied permission plone.schemaeditor.ManageSchemata, making it accessible only to the Manager role. This leads to XML External Entity attacks that could impact confidentiality, integrity, and ...