HIGH 8.8

PYSEC-2023-289

Details

An issue in Plone CMS v. 5.2.4, 5.2.3, 5.2.2, 5.2.1, 5.2.0, 5.1rc2, 5.1rc1, 5.1b4, 5.1b3, 5.1b2, 5.1a2, 5.1a1, 5.1.7, 5.1.6, 5.1.5, 5.1.4, 5.1.2, 5.1.1 5.1, 5.0rc3, 5.0rc2, 5.0rc1, 5.0.9, 5.0.8, 5.0.7, 5.0.6, 5.0.5, 5.0.4, 5.0.3, 5.0.2, 5.0.10, 5.0.1, 5.0, 4.3.9, 4.3.8, 4.3.7, 4.3.6, 4.3.5, 4.3.4, 4.3.3, 4.3.20, 4 allows attacker to access sensitive information via the RSS feed protlet.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / plone

Introduced in: 4.3 Fixed in: 5.2.5

Fix pip install --upgrade 'plone>=5.2.5'

References

https://github.com/s-kustm/Subodh/blob/master/Plone%205.2.4%20Vulnerable%20to%20bilend%20SSRF.pdf [WEB]
https://plone.org/security/hotfix/20210518/blind-ssrf-via-feedparser-accessing-an-internal-url [ADVISORY]
https://plone.org/security/hotfix/20210518 [WEB]