{"url":"http://public2.vulnerablecode.io/api/packages/22026?format=json","purl":"pkg:pypi/plone@5.2.5","type":"pypi","namespace":"","name":"plone","version":"5.2.5","qualifiers":{},"subpath":"","is_vulnerable":false,"next_non_vulnerable_version":"6.0.7","latest_non_vulnerable_version":"6.0.7","affected_by_vulnerabilities":[],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/35823?format=json","vulnerability_id":"VCID-29gf-82fr-k3h8","summary":"In Plone 5.0 through 5.2.4, Editors are vulnerable to XSS in the folder contents view, if a Contributor has created a folder with a SCRIPT tag in the description field.","references":[{"reference_url":"https://plone.org/security/hotfix/20210518/stored-xss-in-folder-contents","reference_id":"","reference_type":"","scores":[],"url":"https://plone.org/security/hotfix/20210518/stored-xss-in-folder-contents"},{"reference_url":"http://www.openwall.com/lists/oss-security/2021/06/30/2","reference_id":"","reference_type":"","scores":[],"url":"http://www.openwall.com/lists/oss-security/2021/06/30/2"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/22026?format=json","purl":"pkg:pypi/plone@5.2.5","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/plone@5.2.5"}],"aliases":["CVE-2021-35959","PYSEC-2021-110"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-29gf-82fr-k3h8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/35806?format=json","vulnerability_id":"VCID-ax8a-2g7j-6ya2","summary":"Plone through 5.2.4 allows XSS via the inline_diff methods in Products.CMFDiffTool.","references":[{"reference_url":"https://github.com/advisories/GHSA-fj67-w3m4-rfmp","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-fj67-w3m4-rfmp"},{"reference_url":"https://plone.org/security/hotfix/20210518/xss-vulnerability-in-cmfdifftool","reference_id":"","reference_type":"","scores":[],"url":"https://plone.org/security/hotfix/20210518/xss-vulnerability-in-cmfdifftool"},{"reference_url":"http://www.openwall.com/lists/oss-security/2021/05/22/1","reference_id":"","reference_type":"","scores":[],"url":"http://www.openwall.com/lists/oss-security/2021/05/22/1"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/22026?format=json","purl":"pkg:pypi/plone@5.2.5","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/plone@5.2.5"}],"aliases":["CVE-2021-33513","GHSA-fj67-w3m4-rfmp","PYSEC-2021-85"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ax8a-2g7j-6ya2"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/35801?format=json","vulnerability_id":"VCID-d42u-s7za-a3ad","summary":"Plone though 5.2.4 allows SSRF via the lxml parser. This affects Diazo themes, Dexterity TTW schemas, and modeleditors in plone.app.theming, plone.app.dexterity, and plone.supermodel.","references":[{"reference_url":"https://github.com/advisories/GHSA-gc9g-67cq-p7v4","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-gc9g-67cq-p7v4"},{"reference_url":"https://plone.org/security/hotfix/20210518/server-side-request-forgery-via-lxml-parser","reference_id":"","reference_type":"","scores":[],"url":"https://plone.org/security/hotfix/20210518/server-side-request-forgery-via-lxml-parser"},{"reference_url":"http://www.openwall.com/lists/oss-security/2021/05/22/1","reference_id":"","reference_type":"","scores":[],"url":"http://www.openwall.com/lists/oss-security/2021/05/22/1"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/22026?format=json","purl":"pkg:pypi/plone@5.2.5","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/plone@5.2.5"}],"aliases":["CVE-2021-33511","GHSA-gc9g-67cq-p7v4","PYSEC-2021-83"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-d42u-s7za-a3ad"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/35800?format=json","vulnerability_id":"VCID-eu4z-htaq-c3d6","summary":"Plone through 5.2.4 allows remote authenticated managers to conduct SSRF attacks via an event ical URL, to read one line of a file.","references":[{"reference_url":"https://github.com/advisories/GHSA-4mg4-wvmx-5332","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-4mg4-wvmx-5332"},{"reference_url":"https://plone.org/security/hotfix/20210518/server-side-request-forgery-via-event-ical-url","reference_id":"","reference_type":"","scores":[],"url":"https://plone.org/security/hotfix/20210518/server-side-request-forgery-via-event-ical-url"},{"reference_url":"http://www.openwall.com/lists/oss-security/2021/05/22/1","reference_id":"","reference_type":"","scores":[],"url":"http://www.openwall.com/lists/oss-security/2021/05/22/1"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/22026?format=json","purl":"pkg:pypi/plone@5.2.5","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/plone@5.2.5"}],"aliases":["CVE-2021-33510","GHSA-4mg4-wvmx-5332","PYSEC-2021-82"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-eu4z-htaq-c3d6"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/35805?format=json","vulnerability_id":"VCID-p71t-er3d-9fdn","summary":"Plone through 5.2.4 allows stored XSS attacks (by a Contributor) by uploading an SVG or HTML document.","references":[{"reference_url":"https://github.com/advisories/GHSA-hm2h-f456-6j88","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-hm2h-f456-6j88"},{"reference_url":"https://plone.org/security/hotfix/20210518/stored-xss-from-file-upload-svg-html","reference_id":"","reference_type":"","scores":[],"url":"https://plone.org/security/hotfix/20210518/stored-xss-from-file-upload-svg-html"},{"reference_url":"http://www.openwall.com/lists/oss-security/2021/05/22/1","reference_id":"","reference_type":"","scores":[],"url":"http://www.openwall.com/lists/oss-security/2021/05/22/1"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/22026?format=json","purl":"pkg:pypi/plone@5.2.5","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/plone@5.2.5"}],"aliases":["CVE-2021-33512","GHSA-hm2h-f456-6j88","PYSEC-2021-84"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-p71t-er3d-9fdn"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/35804?format=json","vulnerability_id":"VCID-q7nt-b3s9-9kf6","summary":"Zope Products.CMFCore before 2.5.1 and Products.PluggableAuthService before 2.6.2, as used in Plone through 5.2.4 and other products, allow Reflected XSS.","references":[{"reference_url":"https://github.com/advisories/GHSA-35rg-466w-77h3","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-35rg-466w-77h3"},{"reference_url":"https://plone.org/security/hotfix/20210518/reflected-xss-in-various-spots","reference_id":"","reference_type":"","scores":[],"url":"https://plone.org/security/hotfix/20210518/reflected-xss-in-various-spots"},{"reference_url":"http://www.openwall.com/lists/oss-security/2021/05/22/1","reference_id":"","reference_type":"","scores":[],"url":"http://www.openwall.com/lists/oss-security/2021/05/22/1"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/22026?format=json","purl":"pkg:pypi/plone@5.2.5","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/plone@5.2.5"}],"aliases":["CVE-2021-33507","GHSA-35rg-466w-77h3","PYSEC-2021-79"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-q7nt-b3s9-9kf6"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/35802?format=json","vulnerability_id":"VCID-r52t-hx1j-ufa1","summary":"Plone through 5.2.4 allows XSS via a full name that is mishandled during rendering of the ownership tab of a content item.","references":[{"reference_url":"https://github.com/advisories/GHSA-rmpv-rcp6-v8wc","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-rmpv-rcp6-v8wc"},{"reference_url":"https://plone.org/security/hotfix/20210518/stored-xss-from-user-fullname","reference_id":"","reference_type":"","scores":[],"url":"https://plone.org/security/hotfix/20210518/stored-xss-from-user-fullname"},{"reference_url":"http://www.openwall.com/lists/oss-security/2021/05/22/1","reference_id":"","reference_type":"","scores":[],"url":"http://www.openwall.com/lists/oss-security/2021/05/22/1"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/22026?format=json","purl":"pkg:pypi/plone@5.2.5","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/plone@5.2.5"}],"aliases":["CVE-2021-33508","GHSA-rmpv-rcp6-v8wc","PYSEC-2021-80"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-r52t-hx1j-ufa1"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/35803?format=json","vulnerability_id":"VCID-x2xm-hpc2-uubq","summary":"Plone through 5.2.4 allows remote authenticated managers to perform disk I/O via crafted keyword arguments to the ReStructuredText transform in a Python script.","references":[{"reference_url":"https://github.com/advisories/GHSA-hm2p-fhwx-9285","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-hm2p-fhwx-9285"},{"reference_url":"https://plone.org/security/hotfix/20210518/writing-arbitrary-files-via-docutils-and-python-script","reference_id":"","reference_type":"","scores":[],"url":"https://plone.org/security/hotfix/20210518/writing-arbitrary-files-via-docutils-and-python-script"},{"reference_url":"http://www.openwall.com/lists/oss-security/2021/05/22/1","reference_id":"","reference_type":"","scores":[],"url":"http://www.openwall.com/lists/oss-security/2021/05/22/1"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/22026?format=json","purl":"pkg:pypi/plone@5.2.5","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/plone@5.2.5"}],"aliases":["CVE-2021-33509","GHSA-hm2p-fhwx-9285","PYSEC-2021-81"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-x2xm-hpc2-uubq"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/36381?format=json","vulnerability_id":"VCID-z4jt-v88h-77er","summary":"An issue in Plone CMS v. 5.2.4, 5.2.3, 5.2.2, 5.2.1, 5.2.0, 5.1rc2, 5.1rc1, 5.1b4, 5.1b3, 5.1b2, 5.1a2, 5.1a1, 5.1.7, 5.1.6, 5.1.5, 5.1.4, 5.1.2, 5.1.1 5.1, 5.0rc3, 5.0rc2, 5.0rc1, 5.0.9, 5.0.8, 5.0.7, 5.0.6, 5.0.5, 5.0.4, 5.0.3, 5.0.2, 5.0.10, 5.0.1, 5.0, 4.3.9, 4.3.8, 4.3.7, 4.3.6, 4.3.5, 4.3.4, 4.3.3, 4.3.20, 4 allows attacker to access sensitive information via the RSS feed protlet.","references":[{"reference_url":"https://github.com/plone/Plone","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/plone/Plone"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/plone/PYSEC-2023-289.yaml","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/plone/PYSEC-2023-289.yaml"},{"reference_url":"https://github.com/s-kustm/Subodh/blob/master/Plone%205.2.4%20Vulnerable%20to%20bilend%20SSRF.pdf","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://github.com/s-kustm/Subodh/blob/master/Plone%205.2.4%20Vulnerable%20to%20bilend%20SSRF.pdf"},{"reference_url":"https://plone.org/security/hotfix/20210518","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://plone.org/security/hotfix/20210518"},{"reference_url":"https://plone.org/security/hotfix/20210518/blind-ssrf-via-feedparser-accessing-an-internal-url","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://plone.org/security/hotfix/20210518/blind-ssrf-via-feedparser-accessing-an-internal-url"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-33926","reference_id":"CVE-2021-33926","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-33926"},{"reference_url":"https://github.com/advisories/GHSA-47p5-p3jw-w78w","reference_id":"GHSA-47p5-p3jw-w78w","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-47p5-p3jw-w78w"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/22026?format=json","purl":"pkg:pypi/plone@5.2.5","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/plone@5.2.5"}],"aliases":["CVE-2021-33926","GHSA-47p5-p3jw-w78w","PYSEC-2023-289"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-z4jt-v88h-77er"}],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/plone@5.2.5"}