Improper Restriction of XML External Entity Reference in Plone
High severity
GitHub Reviewed
Published
Apr 7, 2021
to the GitHub Advisory Database
•
Updated Oct 15, 2024
Description
Published by the National Vulnerability Database
Dec 30, 2020
Reviewed
Apr 7, 2021
Published to the GitHub Advisory Database
Apr 7, 2021
Last updated
Oct 15, 2024
Plone before 5.2.3 allows XXE attacks via a feature that is protected by an unapplied permission of plone.schemaeditor.ManageSchemata (therefore, only available to the Manager role).
References