CVE-2021-33511

CVE Database · CVE-2021-33511

CVE-2021-33511

· HIGHModified

CVSS v3.1

7.5

EPSS

1.20%

Published

May 21, 2021

Modified

Nov 21, 2024

Public PoC / Exploit (1)

All weaponized →

TrickestTrickest PoC index

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

Plone though 5.2.4 allows SSRF via the lxml parser. This affects Diazo themes, Dexterity TTW schemas, and modeleditors in plone.app.theming, plone.app.dexterity, and plone.supermodel.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Weaknesses (CWE)

CWE-918

Affected Products (1)

plone · plonevulnerable

References (4)

http://www.openwall.com/lists/oss-security/2021/05/22/1

Mailing ListThird Party Advisory

https://plone.org/security/hotfix/20210518/server-side-request-forgery-via-lxml-parser

Vendor Advisory

http://www.openwall.com/lists/oss-security/2021/05/22/1

Mailing ListThird Party Advisory

https://plone.org/security/hotfix/20210518/server-side-request-forgery-via-lxml-parser

Vendor Advisory

KEV Catalog EPSS Scores Vendors All CVEs