GHSA-HC5C-R8M5-2GFH plone.restapi vulnerable to Stored Cross Site Scripting with SVG image in user portrait

Impact There is a stored cross site scripting vulnerability for SVG images uploaded in user portraits. Note that a page that uses an image tag with an SVG image as source is never vulnerable, even when the SVG image contains malicious code. To exploit the vulnerability, an attacker would first ne...

CVE-2020-7938

A flaw was found in Plone in versions 5.2.0 through 5.2.1. Users with a certain privilege level can escalate their privileges up to the highest privilege level when the site is using plone.restapi. The highest threat from this vulnerability is to data confidentiality and integrity as well as syst...

CVE-2020-7938

plone.restapi in Plone 5.2.0 through 5.2.1 allows users with a certain privilege level to escalate their privileges up to the highest level...

Design/Logic Flaw

plone.restapi in Plone 5.2.0 through 5.2.1 allows users with a certain privilege level to escalate their privileges up to the highest level...

CVE-2020-7938

plone.restapi in Plone 5.2.0 through 5.2.1 allows users with a certain privilege level to escalate their privileges up to the highest level...

Privilege Escalation

plone.restapi is vulnerable to privilege escalation. The vulnerability exists as DeserializeFromJson does not properly delegate the allowed user roles...