CVE-2020-28734: Improper Restriction of XML External Entity Reference in Plone

April 7, 2021 (updated October 17, 2024)

Plone before 5.2.3 allows XXE attacks via a feature that is explicitly only available to the Manager role.

References

dist.plone.org/release/5.2.3/RELEASE-NOTES.txt
github.com/advisories/GHSA-wq6x-g685-w5f2
github.com/plone/Products.CMFPlone/issues/3209
github.com/pypa/advisory-database/tree/main/vulns/plone/PYSEC-2020-246.yaml
nvd.nist.gov/vuln/detail/CVE-2020-28734
www.misakikata.com/codes/plone/python-en.html

Detect and mitigate CVE-2020-28734 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →