Опубликовано: 17 фев. 2023
Источник: github
Github: Прошло ревью
CVSS4: 8.7
CVSS3: 8.8
Описание
Server-Side Request Forgery in Plone CMS
An issue in Plone CMS allows attacker to access sensitive information via the RSS feed protlet.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2021-33926
- https://github.com/pypa/advisory-database/tree/main/vulns/plone/PYSEC-2023-289.yaml
- https://github.com/s-kustm/Subodh/blob/master/Plone%205.2.4%20Vulnerable%20to%20bilend%20SSRF.pdf
- https://plone.org/security/hotfix/20210518
- https://plone.org/security/hotfix/20210518/blind-ssrf-via-feedparser-accessing-an-internal-url
Пакеты
Наименование
Plone
pip
Затронутые версииВерсия исправления
>= 4.3, < 5.2.5
5.2.5
Связанные уязвимости
CVSS3: 8.8
nvd
почти 3 года назад
An issue in Plone CMS v. 5.2.4, 5.2.3, 5.2.2, 5.2.1, 5.2.0, 5.1rc2, 5.1rc1, 5.1b4, 5.1b3, 5.1b2, 5.1a2, 5.1a1, 5.1.7, 5.1.6, 5.1.5, 5.1.4, 5.1.2, 5.1.1 5.1, 5.0rc3, 5.0rc2, 5.0rc1, 5.0.9, 5.0.8, 5.0.7, 5.0.6, 5.0.5, 5.0.4, 5.0.3, 5.0.2, 5.0.10, 5.0.1, 5.0, 4.3.9, 4.3.8, 4.3.7, 4.3.6, 4.3.5, 4.3.4, 4.3.3, 4.3.20, 4 allows attacker to access sensitive information via the RSS feed protlet.