Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-33926: Subodh/Plone 5.2.4 Vulnerable to bilend SSRF.pdf at master · s-kustm/Subodh

An issue in Plone CMS v. 5.2.4, 5.2.3, 5.2.2, 5.2.1, 5.2.0, 5.1rc2, 5.1rc1, 5.1b4, 5.1b3, 5.1b2, 5.1a2, 5.1a1, 5.1.7, 5.1.6, 5.1.5, 5.1.4, 5.1.2, 5.1.1 5.1, 5.0rc3, 5.0rc2, 5.0rc1, 5.0.9, 5.0.8, 5.0.7, 5.0.6, 5.0.5, 5.0.4, 5.0.3, 5.0.2, 5.0.10, 5.0.1, 5.0, 4.3.9, 4.3.8, 4.3.7, 4.3.6, 4.3.5, 4.3.4, 4.3.3, 4.3.20, 4 allows attacker to access sensitive information via the RSS feed protlet.

CVE
#vulnerability#ssrf#pdf

Vulnerability By adding an RSS feed portlet in their dashboard, a normal member could try loading the RSS feed of an internal service that is otherwise unreachable for this member.

Current status as of 20 May, 2020 Hotfixed. Note: the only fix we do, is that we only allow HTTP and HTTPS access, so you cannot use the file protocol or any other protocol. The more general case of accessing internal servers here and in other parts of the Plone code, cannot truly be fixed without major code changes or breaking valid use cases. For example, on an Intranet, you may want to show the RSS feed of an internal log server.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907