Plone CMS Improper Restriction of XML External Entity Reference Vulnerability (CVE-2020-28736)

Description

Plone before 5.2.3 allows XXE attacks via a feature that is protected by an unapplied permission of plone.schemaeditor.ManageSchemata (therefore, only available to the Manager role).

Remediation

References

CVE-2020-28736

Related Vulnerabilities

Apache 2.x version older than 2.0.48

Drupal Core 8.5.x Cross-Site Scripting (8.5.0 - 8.5.13)

Ruby Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') Vulnerability (CVE-2020-5247)

MediaWiki Incorrect Permission Assignment for Critical Resource Vulnerability (CVE-2022-47927)

WordPress Plugin Site Editor-WordPress Site Builder-Theme Builder and Page Builder Local File Inclusion (1.1.1)

Severity

High

Classification

CVE-2020-28736 CWE-611 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H