CVE-2020-28735: SSRF attacks via tracebacks in Plone

April 7, 2021 (updated October 15, 2024)

Plone before 5.2.3 allows SSRF attacks via the tracebacks feature (only available to the Manager role).

References

dist.plone.org/release/5.2.3/RELEASE-NOTES.txt
github.com/advisories/GHSA-x7wf-5mjc-6x76
github.com/plone/Products.CMFPlone/issues/3209
github.com/pypa/advisory-database/tree/main/vulns/plone/PYSEC-2020-247.yaml
nvd.nist.gov/vuln/detail/CVE-2020-28735
www.misakikata.com/codes/plone/python-en.html

Code Behaviors & Features

Detect and mitigate CVE-2020-28735 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →