Zope is an open-source web application server. Zope Products.CMFCore before 2.5.1 and Products.PluggableAuthService before 2.6.2, as used in Plone through 5.2.4 and other products, allow Reflected XSS. Plone through 5.2.4 allows XSS via a full name that is mishandled during rendering of the ownership tab of a content item. Plone through 5.2.4 allows remote authenticated managers to perform disk I/O via crafted keyword arguments to the ReStructuredText transform in a Python script. Plone through 5.2.4 allows remote authenticated managers to conduct SSRF attacks via an event ical URL, to read one line of a file. This affects Diazo themes, Dexterity TTW schemas, and modeleditors in, , and plone.supermodel. Plone though 5.2.4 allows SSRF via the lxml parser.
Plone through 5.2.4 allows stored XSS attacks (by a Contributor) by uploading an SVG or HTML document. Plone through 5.2.4 allows XSS via the inline_diff methods in Products.CMFDiffTool. In Plone 5.0 through 5.2.4, Editors are vulnerable to XSS in the folder contents view, if a Contributor has created a folder with a SCRIPT tag in the description field.
If you want to see a complete summary for this CPE, please contact us.
0 kommentar(er)
