CVE-2021-3313
5.4 MEDIUMPlone CMS until version 5.2.4 has a stored Cross-Site Scripting (XSS) vulnerability in the user fullname property and the file upload fun...
Published: 2021-05-20 · Last updated: 2026-06-17
Severity and scoring
- CVSS
- 5.4 MEDIUM
- Vector
- CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
- CWE
- CWE-79
Affected products
| Vendor | Product |
|---|---|
| plone | plone |
Description
Plone CMS until version 5.2.4 has a stored Cross-Site Scripting (XSS) vulnerability in the user fullname property and the file upload functionality. The user's input data is not properly encoded when being echoed back to the user. This data can be interpreted as executable code by the browser and allows an attacker to execute JavaScript in the context of the victim's browser if the victim opens a vulnerable page containing an XSS payload.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2021-3313
- [Other]http://www.openwall.com/lists/oss-security/2021/05/22/1
- [Vendor advisory]https://plone.org/download/releases/5.2.3
- [Vendor advisory]https://plone.org/security/hotfix/20210518
- [Exploit reference]https://www.compass-security.com/fileadmin/Research/Advisories/2021-07_CSNC-2021-013_XSS_in_Plone_CMS.txt
- [Other]http://www.openwall.com/lists/oss-security/2021/05/22/1
- [Vendor advisory]https://plone.org/download/releases/5.2.3
- [Vendor advisory]https://plone.org/security/hotfix/20210518
- [Exploit reference]https://www.compass-security.com/fileadmin/Research/Advisories/2021-07_CSNC-2021-013_XSS_in_Plone_CMS.txt
Related CVEs
Same CWE
- CVE-2026-12425 — Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in PowerSchool Employee Access ...
- CVE-2024-30476 — PowerStore contains a Stored Cross-Site Scripting Vulnerability in the PowerStore Manager (5.4 MEDIUM)
- CVE-2026-54198 — Unauthenticated Cross Site Scripting (XSS) in Media LIbrary Assistant <= 3.35 versions (7.1 HIGH)
- CVE-2026-54191 — Unauthenticated Cross Site Scripting (XSS) in Pods <= 3.3.8 versions (7.1 HIGH)
- CVE-2026-39437 — Unauthenticated Cross Site Scripting (XSS) in Min Max Step Quantity Limits Manager for WooCommerce <= 5.2.2 versions (7.1 HIGH)