Cross-site scripting in Products.CMFCore, Products.PluggableAuthService, Plone
Zope Products.CMFCore before 2.5.1 and Products.PluggableAuthService before 2.6.2, as used in Plone through 5.2.4 and other products, allow Reflected XSS.
Advisories for Pypi/Products.PluggableAuthService package
2021
URL Redirection to Untrusted Site ('Open Redirect') in Products.PluggableAuthService
What kind of vulnerability is it? Who is impacted? Open redirect vulnerability - a maliciously crafted link to the login form and login functionality could redirect the browser to a different website.
Exposure of Sensitive Information to an Unauthorized Actor in Products.PluggableAuthService ZODBRoleManager
What kind of vulnerability is it? Who is impacted? Information disclosure vulnerability - everyone can list the names of roles defined in the ZODB Role Manager plugin if the site uses this plugin.