CVE-2020-28736: Improper Restriction of XML External Entity Reference in Plone

April 7, 2021 (updated October 15, 2024)

Plone before 5.2.3 allows XXE attacks via a feature that is protected by an unapplied permission of plone.schemaeditor.ManageSchemata (therefore, only available to the Manager role).

References

dist.plone.org/release/5.2.3/RELEASE-NOTES.txt
github.com/advisories/GHSA-2c8c-84w2-j38j
github.com/plone/Products.CMFPlone/issues/3209
github.com/pypa/advisory-database/tree/main/vulns/plone/PYSEC-2020-248.yaml
nvd.nist.gov/vuln/detail/CVE-2020-28736
www.misakikata.com/codes/plone/python-en.html

Code Behaviors & Features

Detect and mitigate CVE-2020-28736 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →