Detections
Analytics

Plone Python Library Multiple Vulnerabilities (20230921)

high Nessus Plugin ID 300605

Synopsis

A Python library installed on the remote host is affected by multiple vulnerabilities.

Description

The detected version of Plone python package, plone, is prior to version 5.2.14 or 6.x prior to 6.0.7. It is, therefore, affected by the following the vulnerabilities:

 - Multiple stored cross site scripting vulnerabilities exits when handling SVG images. An authenticated, remote attacker can exploit this, by convincing a user to click a specially crafted URL, to execute arbitrary script code in a user's browser session. (CVE-2023-41048, CVE-2023-42458)

 - A denial of service (DoS) vulnerability exists in plone.rest. An unauthenticated, remote attacker can exploit this issue, to cause the server to stop responding.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Upgrade to plone version 5.2.14, 6.0.7 or later.

See Also

https://plone.org/security/announcements/20230921-announcement

Plugin Details

Severity: High

ID: 300605

File Name: plone_20230921.nasl

Version: 1.1

Type: local

Agent: windows, macosx, unix

Family: Misc.

Published: 3/4/2026

Updated: 3/4/2026

Configuration: Enable paranoid mode, Enable thorough checks (optional)

Supported Sensors: Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.8

CVSS v3

Risk Factor: High

Base Score: 7.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Vulnerability Information

CPE: cpe:/a:plone:plone

Required KB Items: Settings/ParanoidReport

Patch Publication Date: 9/21/2023

Vulnerability Publication Date: 9/21/2023

Reference Information

CVE: CVE-2023-41048, CVE-2023-42457, CVE-2023-42458