1360 matches found
Products.isurlinportal has possible open redirect when using more than 2 forward slashes
Impact A url /login?camefrom=////evil.example may redirect to an external website after login. Standard Plone is not affected, but if you have customised the login, for example with add-ons, you might be affected. You can try the url to check if you are affected or not. Patches The problem has be...
Missing Authentication for Critical Function
Overview Affected versions of this package are vulnerable to Missing Authentication for Critical Function due to the improper versification of user identify in comment posting feature. An attacker can exploit this vulnerability by impersonating a registered user, potentially leading to unauthoriz...
CVE-2021-33512
Plone through 5.2.4 allows stored XSS attacks by a Contributor by uploading an SVG or HTML document...
CVE-2021-33510
Plone through 5.2.4 allows remote authenticated managers to conduct SSRF attacks via an event ical URL, to read one line of a file...
CVE-2021-33509
Plone through 5.2.4 allows remote authenticated managers to perform disk I/O via crafted keyword arguments to the ReStructuredText transform in a Python script...
CVE-2021-33511
Plone though 5.2.4 allows SSRF via the lxml parser. This affects Diazo themes, Dexterity TTW schemas, and modeleditors in plone.app.theming, plone.app.dexterity, and plone.supermodel...
CVE-2021-33926
An issue in Plone CMS v. 5.2.4, 5.2.3, 5.2.2, 5.2.1, 5.2.0, 5.1rc2, 5.1rc1, 5.1b4, 5.1b3, 5.1b2, 5.1a2, 5.1a1, 5.1.7, 5.1.6, 5.1.5, 5.1.4, 5.1.2, 5.1.1 5.1, 5.0rc3, 5.0rc2, 5.0rc1, 5.0.9, 5.0.8, 5.0.7, 5.0.6, 5.0.5, 5.0.4, 5.0.3, 5.0.2, 5.0.10, 5.0.1, 5.0, 4.3.9, 4.3.8, 4.3.7, 4.3.6, 4.3.5, 4.3.4...
Denial-of-service (DoS)
@plone/volto is vulnerable to a denial-of-service DoS. The vulnerability is due to improper handling of a specific URL request, which allows an attacker to crash the NodeJS server component by simply visiting that crafted URL...
CVE-2025-61668
Volto is a ReactJS-based frontend for the Plone Content Management System. Versions 16.34.0 and below, 17.0.0 through 17.22.1, 18.0.0 through 18.27.1, and 19.0.0-alpha.1 through 19.0.0-alpha.5, an anonymous user could cause the NodeJS server part of Volto to quit with an error when visiting a...
EUVD-2020-0144
Malware in sbrugna...
EUVD-2017-0087
Malware in sbrugna...
EUVD-2021-0188
Malware in sbrugna...
EUVD-2018-0116
Malware in sbrugna...
EUVD-2020-0147
Malware in sbrugna...
EUVD-2021-0187
Malware in sbrugna...
EUVD-2014-0072
Malware in sbrugna...
EUVD-2017-0091
Malware in sbrugna...
EUVD-2014-0047
Malware in sbrugna...
EUVD-2008-0008
Malware in sbrugna...
EUVD-2014-0073
Malware in sbrugna...