cpe:2.3:a:plone:plone:2.5.2:*:*:*:*:*:*:*
Products.ATContentTypes are the core content types for Plone 2.1 - 4.3. Versions of Plone that are dependent on Products.ATContentTypes prior to version 3.0.6 are vulnerable to reflected cross site scripting and open redirect when an attacker can get a compromised version of the image_view_fullscreen page in a cache, for example in Varnish. The technique is known as cache poisoning. Any later visitor can get redirected when clicking on a link on this page. Usually only anonymous users are affected, but this depends on the user's cache settings. Version 3.0.6 of Products.ATContentTypes has been released with a fix. This version works on Plone 5.2, Python 2 only. As a workaround, make sure the image_view_fullscreen page is not stored in the cache. More information about the vulnerability and cvmitigation measures is available in the GitHub Security Advisory.
Max CVSS
6.1
EPSS Score
0.06%
Published
2022-01-28
Updated
2023-06-27
Plone through 5.2.4 allows XSS via the inline_diff methods in Products.CMFDiffTool.
Max CVSS
5.4
EPSS Score
0.05%
Published
2021-05-21
Updated
2021-05-24
Plone through 5.2.4 allows stored XSS attacks (by a Contributor) by uploading an SVG or HTML document.
Max CVSS
5.4
EPSS Score
0.05%
Published
2021-05-21
Updated
2021-05-24
Plone through 5.2.4 allows XSS via a full name that is mishandled during rendering of the ownership tab of a content item.
Max CVSS
5.4
EPSS Score
0.05%
Published
2021-05-21
Updated
2021-05-24
Zope Products.CMFCore before 2.5.1 and Products.PluggableAuthService before 2.6.2, as used in Plone through 5.2.4 and other products, allow Reflected XSS.
Max CVSS
6.1
EPSS Score
0.08%
Published
2021-05-21
Updated
2021-05-27
Plone CMS until version 5.2.4 has a stored Cross-Site Scripting (XSS) vulnerability in the user fullname property and the file upload functionality. The user's input data is not properly encoded when being echoed back to the user. This data can be interpreted as executable code by the browser and allows an attacker to execute JavaScript in the context of the victim's browser if the victim opens a vulnerable page containing an XSS payload.
Max CVSS
5.4
EPSS Score
0.08%
Published
2021-05-20
Updated
2021-05-25
A member of the Plone 2.5-5.1rc1 site could set javascript in the home_page property of his profile, and have this executed when a visitor click the home page link on the author page.
Max CVSS
5.4
EPSS Score
0.05%
Published
2018-01-03
Updated
2018-01-17
Multiple cross-site scripting (XSS) vulnerabilities in (1) spamProtect.py, (2) pts.py, and (3) request.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
Max CVSS
4.3
EPSS Score
0.22%
Published
2014-03-11
Updated
2014-03-12
Cross-site scripting (XSS) vulnerability in widget_traversal.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
Max CVSS
4.3
EPSS Score
0.22%
Published
2014-09-30
Updated
2014-10-01
Cross-site scripting (XSS) vulnerability in safe_html.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote authenticated users with permissions to edit content to inject arbitrary web script or HTML via unspecified vectors.
Max CVSS
3.5
EPSS Score
0.10%
Published
2014-09-30
Updated
2014-10-01
Cross-site scripting (XSS) vulnerability in python_scripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, related to "{u,}translate."
Max CVSS
4.3
EPSS Score
0.22%
Published
2014-09-30
Updated
2014-10-01
Cross-site scripting (XSS) vulnerability in kssdevel.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
Max CVSS
4.3
EPSS Score
0.22%
Published
2014-09-30
Updated
2014-10-01
Cross-site scripting (XSS) vulnerability in the safe_html filter in Products.PortalTransforms in Plone 2.1 through 4.1 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2010-2422.
Max CVSS
3.5
EPSS Score
0.12%
Published
2011-06-06
Updated
2018-10-09
Cross-site scripting (XSS) vulnerability in Plone 4.1 and earlier allows remote attackers to inject arbitrary web script or HTML via a crafted URL.
Max CVSS
4.3
EPSS Score
0.29%
Published
2011-06-06
Updated
2023-02-13
Cross-site scripting (XSS) vulnerability in skins/plone_templates/default_error_message.pt in Plone before 2.5.3 allows remote attackers to inject arbitrary web script or HTML via the type_name parameter to Members/ipa/createObject.
Max CVSS
4.3
EPSS Score
0.16%
Published
2011-08-05
Updated
2011-08-08
Cross-site scripting (XSS) vulnerability in PortalTransforms in Plone 2.1 through 3.3.4 before hotfix 20100612 allows remote attackers to inject arbitrary web script or HTML via the safe_html transform.
Max CVSS
4.3
EPSS Score
0.14%
Published
2010-06-24
Updated
2010-06-24
Cross-site scripting (XSS) vulnerability in the LiveSearch module in Plone before 3.0.4 allows remote attackers to inject arbitrary web script or HTML via the Description field for search results, as demonstrated using the onerror Javascript even in an IMG tag.
Max CVSS
4.3
EPSS Score
0.32%
Published
2008-10-15
Updated
2008-11-15
17 vulnerabilities found
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!