CVE-2021-33511: Server-Side Request Forgery in Plone

June 15, 2021 (updated October 18, 2024)

Plone though 5.2.4 allows SSRF via the lxml parser. This affects Diazo themes, Dexterity TTW schemas, and modeleditors in plone.app.theming, plone.app.dexterity, and plone.supermodel.

References

github.com/advisories/GHSA-gc9g-67cq-p7v4
github.com/plone/Plone
github.com/pypa/advisory-database/tree/main/vulns/plone/PYSEC-2021-83.yaml
nvd.nist.gov/vuln/detail/CVE-2021-33511
plone.org/security/hotfix/20210518/server-side-request-forgery-via-lxml-parser

Code Behaviors & Features

Detect and mitigate CVE-2021-33511 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →