CVE-2021-33507: Cross-site scripting in Products.CMFCore, Products.PluggableAuthService, Plone

June 18, 2021 (updated October 18, 2024)

Zope Products.CMFCore before 2.5.1 and Products.PluggableAuthService before 2.6.2, as used in Plone through 5.2.4 and other products, allow Reflected XSS.

References

github.com/advisories/GHSA-35rg-466w-77h3
github.com/pypa/advisory-database/tree/main/vulns/plone/PYSEC-2021-79.yaml
nvd.nist.gov/vuln/detail/CVE-2021-33507
plone.org/security/hotfix/20210518/reflected-xss-in-various-spots

Detect and mitigate CVE-2021-33507 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →