PT-2021-20169 · Plone+1 · Plone+1

David Miller

Published

2021-05-21

Updated

2021-06-15

CVE-2021-33511

CVSS v4.0

8.7

High

Vector

AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions Plone versions prior to 5.2.5

Description The issue allows for Server-Side Request Forgery (SSRF) via the lxml parser. This affects various components including Diazo themes, Dexterity TTW schemas, and modeleditors in plone.app.theming, plone.app.dexterity, and plone.supermodel.

Recommendations For Plone versions prior to 5.2.5, update to version 5.2.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the lxml parser until a patch is available.

Fix

SSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-918

Related Identifiers

CVE-2021-33511

GHSA-GC9G-67CQ-P7V4

PYSEC-2021-83

Affected Products

Plone

Lxml

PT-2021-20169 · Plone+1 · Plone+1

CVE-2021-33511

Weakness Enumeration

Related Identifiers

Affected Products

References · 12