Vulnerability Description
Plone though 5.2.4 allows SSRF via the lxml parser. This affects Diazo themes, Dexterity TTW schemas, and modeleditors in plone.app.theming, plone.app.dexterity, and plone.supermodel.
CVSS Score
7.5
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Plone | Plone | <= 5.2.4 |
Related Weaknesses (CWE)
References
- http://www.openwall.com/lists/oss-security/2021/05/22/1Mailing ListThird Party Advisory
- https://plone.org/security/hotfix/20210518/server-side-request-forgery-via-lxml-Vendor Advisory
- http://www.openwall.com/lists/oss-security/2021/05/22/1Mailing ListThird Party Advisory
- https://plone.org/security/hotfix/20210518/server-side-request-forgery-via-lxml-Vendor Advisory
FAQ
What is CVE-2021-33511?
CVE-2021-33511 is a vulnerability with a CVSS score of 7.5 (HIGH). Plone though 5.2.4 allows SSRF via the lxml parser. This affects Diazo themes, Dexterity TTW schemas, and modeleditors in plone.app.theming, plone.app.dexterity, and plone.supermodel.
How severe is CVE-2021-33511?
CVE-2021-33511 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-33511?
Check the references section above for vendor advisories and patch information. Affected products include: Plone Plone.