CVE-2021-33507

Zope Products.CMFCore before 2.5.1 and Products.PluggableAuthService before 2.6.2, as used in Plone through 5.2.4 and other products, allow Reflected XSS.

Published: May 22, 2021
Updated: May 9, 2024
CVE: CVE-2021-33507
GHSA: GHSA-35rg-466w-77h3
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 6.1
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVSS v2:

Severity: Low
Score: 4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N

CWEs:

CWE-79

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
plone / plone	5.0	5.2.4.x
plone / plone	-	4.3.20.x
zope / zope	-	2.5.1
Products.CMFCore	-	2.5.1
Products.PluggableAuthService	-	2.6.2
plone	-	5.2.4.x

http://www.openwall.com/lists/oss-security/2021/05/22/1
https://plone.org/security/hotfix/20210518/reflected-xss-in-various-spots

Vulnerability Database

289,697

CVE-2021-33507