Search criteria
7 vulnerabilities found for volto by plone
CVE-2025-61668 (GCVE-0-2025-61668)
Vulnerability from cvelistv5 – Published: 2025-10-02 21:46 – Updated: 2025-10-03 13:37
VLAI?
Title
@plone/volto vulnerable to potential DoS by invoking specific URL by anonymous user
Summary
Volto is a ReactJS-based frontend for the Plone Content Management System. Versions 16.34.0 and below, 17.0.0 through 17.22.1, 18.0.0 through 18.27.1, and 19.0.0-alpha.1 through 19.0.0-alpha.5, an anonymous user could cause the NodeJS server part of Volto to quit with an error when visiting a specific URL. This issue is fixed in versions 16.34.1, 17.22.2, 18.27.2 and 19.0.0-alpha.6.
Severity ?
CWE
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-61668",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-03T13:37:13.125666Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-03T13:37:25.520Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "volto",
"vendor": "plone",
"versions": [
{
"status": "affected",
"version": "\u003c 16.34.1"
},
{
"status": "affected",
"version": "\u003e= 17.0.0, \u003c 17.22.2"
},
{
"status": "affected",
"version": "\u003e= 18.0.0, \u003c 18.27.2"
},
{
"status": "affected",
"version": "\u003e= 19.0.0-alpha.1, \u003c 19.0.0-alpha.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Volto is a ReactJS-based frontend for the Plone Content Management System. Versions 16.34.0 and below, 17.0.0 through 17.22.1, 18.0.0 through 18.27.1, and 19.0.0-alpha.1 through 19.0.0-alpha.5, an anonymous user could cause the NodeJS server part of Volto to quit with an error when visiting a specific URL. This issue is fixed in versions 16.34.1, 17.22.2, 18.27.2 and 19.0.0-alpha.6."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476: NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-754",
"description": "CWE-754: Improper Check for Unusual or Exceptional Conditions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-02T21:46:32.975Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/plone/volto/security/advisories/GHSA-m8rj-ppph-mj33",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/plone/volto/security/advisories/GHSA-m8rj-ppph-mj33"
},
{
"name": "https://github.com/plone/volto/pull/7412",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/plone/volto/pull/7412"
},
{
"name": "https://github.com/plone/volto/pull/7413",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/plone/volto/pull/7413"
},
{
"name": "https://github.com/plone/volto/commit/58d9f82d2d50ca9a87edbe16fed91762e57c109c",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/plone/volto/commit/58d9f82d2d50ca9a87edbe16fed91762e57c109c"
},
{
"name": "https://github.com/plone/volto/releases/tag/16.34.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/plone/volto/releases/tag/16.34.1"
},
{
"name": "https://github.com/plone/volto/releases/tag/17.22.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/plone/volto/releases/tag/17.22.2"
},
{
"name": "https://github.com/plone/volto/releases/tag/19.0.0-alpha.6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/plone/volto/releases/tag/19.0.0-alpha.6"
},
{
"name": "http://github.com/plone/volto/releases/tag/18.27.2",
"tags": [
"x_refsource_MISC"
],
"url": "http://github.com/plone/volto/releases/tag/18.27.2"
}
],
"source": {
"advisory": "GHSA-m8rj-ppph-mj33",
"discovery": "UNKNOWN"
},
"title": "@plone/volto vulnerable to potential DoS by invoking specific URL by anonymous user"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-61668",
"datePublished": "2025-10-02T21:46:32.975Z",
"dateReserved": "2025-09-29T20:25:16.180Z",
"dateUpdated": "2025-10-03T13:37:25.520Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-58047 (GCVE-0-2025-58047)
Vulnerability from cvelistv5 – Published: 2025-08-28 17:10 – Updated: 2025-11-04 21:13
VLAI?
Title
Volto affected by possible DoS by invoking specific URL by anonymous user
Summary
Volto is a React based frontend for the Plone Content Management System. In versions from 19.0.0-alpha.1 to before 19.0.0-alpha.4, 18.0.0 to before 18.24.0, 17.0.0 to before 17.22.1, and prior to 16.34.0, an anonymous user could cause the NodeJS server part of Volto to quit with an error when visiting a specific URL. The problem has been patched in versions 16.34.0, 17.22.1, 18.24.0, and 19.0.0-alpha.4. To mitigate downtime, have setup automatically restart processes that quit with an error.
Severity ?
7.5 (High)
CWE
- CWE-755 - Improper Handling of Exceptional Conditions
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-58047",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-28T18:35:47.223133Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-28T18:35:51.922Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T21:13:20.996Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/08/28/3"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "volto",
"vendor": "plone",
"versions": [
{
"status": "affected",
"version": "\u003c 16.34.0"
},
{
"status": "affected",
"version": "\u003e= 17.0.0, \u003c 17.22.1"
},
{
"status": "affected",
"version": "\u003e= 18.0.0, \u003c 18.24.0"
},
{
"status": "affected",
"version": "\u003e= 19.0.0-alpha.1, \u003c 19.0.0-alpha.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Volto is a React based frontend for the Plone Content Management System. In versions from 19.0.0-alpha.1 to before 19.0.0-alpha.4, 18.0.0 to before 18.24.0, 17.0.0 to before 17.22.1, and prior to 16.34.0, an anonymous user could cause the NodeJS server part of Volto to quit with an error when visiting a specific URL. The problem has been patched in versions 16.34.0, 17.22.1, 18.24.0, and 19.0.0-alpha.4. To mitigate downtime, have setup automatically restart processes that quit with an error."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-755",
"description": "CWE-755: Improper Handling of Exceptional Conditions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-28T17:10:58.381Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/plone/volto/security/advisories/GHSA-xjhf-7833-3pm5",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/plone/volto/security/advisories/GHSA-xjhf-7833-3pm5"
},
{
"name": "https://github.com/plone/volto/commit/2789a287ac45ad9039fb9161d465ba13241fff0a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/plone/volto/commit/2789a287ac45ad9039fb9161d465ba13241fff0a"
},
{
"name": "https://github.com/plone/volto/releases/tag/16.34.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/plone/volto/releases/tag/16.34.0"
},
{
"name": "https://github.com/plone/volto/releases/tag/17.22.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/plone/volto/releases/tag/17.22.1"
},
{
"name": "https://github.com/plone/volto/releases/tag/18.24.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/plone/volto/releases/tag/18.24.0"
},
{
"name": "https://github.com/plone/volto/releases/tag/19.0.0-alpha.4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/plone/volto/releases/tag/19.0.0-alpha.4"
}
],
"source": {
"advisory": "GHSA-xjhf-7833-3pm5",
"discovery": "UNKNOWN"
},
"title": "Volto affected by possible DoS by invoking specific URL by anonymous user"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-58047",
"datePublished": "2025-08-28T17:10:58.381Z",
"dateReserved": "2025-08-22T14:30:32.221Z",
"dateUpdated": "2025-11-04T21:13:20.996Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-24740 (GCVE-0-2022-24740)
Vulnerability from cvelistv5 – Published: 2022-03-14 22:15 – Updated: 2025-04-23 18:54
VLAI?
Title
Improper Authentication in Volto
Summary
Volto is a ReactJS-based frontend for the Plone Content Management System. Between versions 14.0.0-alpha.5 and 15.0.0-alpha.0, a user could have their authentication cookie replaced with an authentication cookie from another user, effectively giving them control of the other user's account and privileges. This occurs when using an outdated version of the `react-cookie` library and a server is under high load. A proof of concept does not currently exist, but it is possible for this issue to occur in the wild. The patch and fix is present in Volto 15.0.0-alpha.0. As a workaround, one may manually upgrade the `react-cookie` package to 4.1.1 and then override all Volto components that use this library.
Severity ?
5 (Medium)
CWE
- CWE-287 - Improper Authentication
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:20:50.173Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/plone/volto/security/advisories/GHSA-cfhh-xgwq-5r67"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/plone/volto/pull/3051"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-24740",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T14:09:02.469984Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T18:54:04.442Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "volto",
"vendor": "plone",
"versions": [
{
"status": "affected",
"version": "\u003e= 14.0.0-alpha.5, \u003c 15.0.0-alpha.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Volto is a ReactJS-based frontend for the Plone Content Management System. Between versions 14.0.0-alpha.5 and 15.0.0-alpha.0, a user could have their authentication cookie replaced with an authentication cookie from another user, effectively giving them control of the other user\u0027s account and privileges. This occurs when using an outdated version of the `react-cookie` library and a server is under high load. A proof of concept does not currently exist, but it is possible for this issue to occur in the wild. The patch and fix is present in Volto 15.0.0-alpha.0. As a workaround, one may manually upgrade the `react-cookie` package to 4.1.1 and then override all Volto components that use this library."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-03-14T22:15:13.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/plone/volto/security/advisories/GHSA-cfhh-xgwq-5r67"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/plone/volto/pull/3051"
}
],
"source": {
"advisory": "GHSA-cfhh-xgwq-5r67",
"discovery": "UNKNOWN"
},
"title": "Improper Authentication in Volto",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-24740",
"STATE": "PUBLIC",
"TITLE": "Improper Authentication in Volto"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "volto",
"version": {
"version_data": [
{
"version_value": "\u003e= 14.0.0-alpha.5, \u003c 15.0.0-alpha.0"
}
]
}
}
]
},
"vendor_name": "plone"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Volto is a ReactJS-based frontend for the Plone Content Management System. Between versions 14.0.0-alpha.5 and 15.0.0-alpha.0, a user could have their authentication cookie replaced with an authentication cookie from another user, effectively giving them control of the other user\u0027s account and privileges. This occurs when using an outdated version of the `react-cookie` library and a server is under high load. A proof of concept does not currently exist, but it is possible for this issue to occur in the wild. The patch and fix is present in Volto 15.0.0-alpha.0. As a workaround, one may manually upgrade the `react-cookie` package to 4.1.1 and then override all Volto components that use this library."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-287: Improper Authentication"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/plone/volto/security/advisories/GHSA-cfhh-xgwq-5r67",
"refsource": "CONFIRM",
"url": "https://github.com/plone/volto/security/advisories/GHSA-cfhh-xgwq-5r67"
},
{
"name": "https://github.com/plone/volto/pull/3051",
"refsource": "MISC",
"url": "https://github.com/plone/volto/pull/3051"
}
]
},
"source": {
"advisory": "GHSA-cfhh-xgwq-5r67",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-24740",
"datePublished": "2022-03-14T22:15:13.000Z",
"dateReserved": "2022-02-10T00:00:00.000Z",
"dateUpdated": "2025-04-23T18:54:04.442Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-61668 (GCVE-0-2025-61668)
Vulnerability from nvd – Published: 2025-10-02 21:46 – Updated: 2025-10-03 13:37
VLAI?
Title
@plone/volto vulnerable to potential DoS by invoking specific URL by anonymous user
Summary
Volto is a ReactJS-based frontend for the Plone Content Management System. Versions 16.34.0 and below, 17.0.0 through 17.22.1, 18.0.0 through 18.27.1, and 19.0.0-alpha.1 through 19.0.0-alpha.5, an anonymous user could cause the NodeJS server part of Volto to quit with an error when visiting a specific URL. This issue is fixed in versions 16.34.1, 17.22.2, 18.27.2 and 19.0.0-alpha.6.
Severity ?
CWE
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-61668",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-03T13:37:13.125666Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-03T13:37:25.520Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "volto",
"vendor": "plone",
"versions": [
{
"status": "affected",
"version": "\u003c 16.34.1"
},
{
"status": "affected",
"version": "\u003e= 17.0.0, \u003c 17.22.2"
},
{
"status": "affected",
"version": "\u003e= 18.0.0, \u003c 18.27.2"
},
{
"status": "affected",
"version": "\u003e= 19.0.0-alpha.1, \u003c 19.0.0-alpha.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Volto is a ReactJS-based frontend for the Plone Content Management System. Versions 16.34.0 and below, 17.0.0 through 17.22.1, 18.0.0 through 18.27.1, and 19.0.0-alpha.1 through 19.0.0-alpha.5, an anonymous user could cause the NodeJS server part of Volto to quit with an error when visiting a specific URL. This issue is fixed in versions 16.34.1, 17.22.2, 18.27.2 and 19.0.0-alpha.6."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476: NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-754",
"description": "CWE-754: Improper Check for Unusual or Exceptional Conditions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-02T21:46:32.975Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/plone/volto/security/advisories/GHSA-m8rj-ppph-mj33",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/plone/volto/security/advisories/GHSA-m8rj-ppph-mj33"
},
{
"name": "https://github.com/plone/volto/pull/7412",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/plone/volto/pull/7412"
},
{
"name": "https://github.com/plone/volto/pull/7413",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/plone/volto/pull/7413"
},
{
"name": "https://github.com/plone/volto/commit/58d9f82d2d50ca9a87edbe16fed91762e57c109c",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/plone/volto/commit/58d9f82d2d50ca9a87edbe16fed91762e57c109c"
},
{
"name": "https://github.com/plone/volto/releases/tag/16.34.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/plone/volto/releases/tag/16.34.1"
},
{
"name": "https://github.com/plone/volto/releases/tag/17.22.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/plone/volto/releases/tag/17.22.2"
},
{
"name": "https://github.com/plone/volto/releases/tag/19.0.0-alpha.6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/plone/volto/releases/tag/19.0.0-alpha.6"
},
{
"name": "http://github.com/plone/volto/releases/tag/18.27.2",
"tags": [
"x_refsource_MISC"
],
"url": "http://github.com/plone/volto/releases/tag/18.27.2"
}
],
"source": {
"advisory": "GHSA-m8rj-ppph-mj33",
"discovery": "UNKNOWN"
},
"title": "@plone/volto vulnerable to potential DoS by invoking specific URL by anonymous user"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-61668",
"datePublished": "2025-10-02T21:46:32.975Z",
"dateReserved": "2025-09-29T20:25:16.180Z",
"dateUpdated": "2025-10-03T13:37:25.520Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-58047 (GCVE-0-2025-58047)
Vulnerability from nvd – Published: 2025-08-28 17:10 – Updated: 2025-11-04 21:13
VLAI?
Title
Volto affected by possible DoS by invoking specific URL by anonymous user
Summary
Volto is a React based frontend for the Plone Content Management System. In versions from 19.0.0-alpha.1 to before 19.0.0-alpha.4, 18.0.0 to before 18.24.0, 17.0.0 to before 17.22.1, and prior to 16.34.0, an anonymous user could cause the NodeJS server part of Volto to quit with an error when visiting a specific URL. The problem has been patched in versions 16.34.0, 17.22.1, 18.24.0, and 19.0.0-alpha.4. To mitigate downtime, have setup automatically restart processes that quit with an error.
Severity ?
7.5 (High)
CWE
- CWE-755 - Improper Handling of Exceptional Conditions
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-58047",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-28T18:35:47.223133Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-28T18:35:51.922Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T21:13:20.996Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/08/28/3"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "volto",
"vendor": "plone",
"versions": [
{
"status": "affected",
"version": "\u003c 16.34.0"
},
{
"status": "affected",
"version": "\u003e= 17.0.0, \u003c 17.22.1"
},
{
"status": "affected",
"version": "\u003e= 18.0.0, \u003c 18.24.0"
},
{
"status": "affected",
"version": "\u003e= 19.0.0-alpha.1, \u003c 19.0.0-alpha.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Volto is a React based frontend for the Plone Content Management System. In versions from 19.0.0-alpha.1 to before 19.0.0-alpha.4, 18.0.0 to before 18.24.0, 17.0.0 to before 17.22.1, and prior to 16.34.0, an anonymous user could cause the NodeJS server part of Volto to quit with an error when visiting a specific URL. The problem has been patched in versions 16.34.0, 17.22.1, 18.24.0, and 19.0.0-alpha.4. To mitigate downtime, have setup automatically restart processes that quit with an error."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-755",
"description": "CWE-755: Improper Handling of Exceptional Conditions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-28T17:10:58.381Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/plone/volto/security/advisories/GHSA-xjhf-7833-3pm5",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/plone/volto/security/advisories/GHSA-xjhf-7833-3pm5"
},
{
"name": "https://github.com/plone/volto/commit/2789a287ac45ad9039fb9161d465ba13241fff0a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/plone/volto/commit/2789a287ac45ad9039fb9161d465ba13241fff0a"
},
{
"name": "https://github.com/plone/volto/releases/tag/16.34.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/plone/volto/releases/tag/16.34.0"
},
{
"name": "https://github.com/plone/volto/releases/tag/17.22.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/plone/volto/releases/tag/17.22.1"
},
{
"name": "https://github.com/plone/volto/releases/tag/18.24.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/plone/volto/releases/tag/18.24.0"
},
{
"name": "https://github.com/plone/volto/releases/tag/19.0.0-alpha.4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/plone/volto/releases/tag/19.0.0-alpha.4"
}
],
"source": {
"advisory": "GHSA-xjhf-7833-3pm5",
"discovery": "UNKNOWN"
},
"title": "Volto affected by possible DoS by invoking specific URL by anonymous user"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-58047",
"datePublished": "2025-08-28T17:10:58.381Z",
"dateReserved": "2025-08-22T14:30:32.221Z",
"dateUpdated": "2025-11-04T21:13:20.996Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-24740 (GCVE-0-2022-24740)
Vulnerability from nvd – Published: 2022-03-14 22:15 – Updated: 2025-04-23 18:54
VLAI?
Title
Improper Authentication in Volto
Summary
Volto is a ReactJS-based frontend for the Plone Content Management System. Between versions 14.0.0-alpha.5 and 15.0.0-alpha.0, a user could have their authentication cookie replaced with an authentication cookie from another user, effectively giving them control of the other user's account and privileges. This occurs when using an outdated version of the `react-cookie` library and a server is under high load. A proof of concept does not currently exist, but it is possible for this issue to occur in the wild. The patch and fix is present in Volto 15.0.0-alpha.0. As a workaround, one may manually upgrade the `react-cookie` package to 4.1.1 and then override all Volto components that use this library.
Severity ?
5 (Medium)
CWE
- CWE-287 - Improper Authentication
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:20:50.173Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/plone/volto/security/advisories/GHSA-cfhh-xgwq-5r67"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/plone/volto/pull/3051"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-24740",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T14:09:02.469984Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T18:54:04.442Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "volto",
"vendor": "plone",
"versions": [
{
"status": "affected",
"version": "\u003e= 14.0.0-alpha.5, \u003c 15.0.0-alpha.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Volto is a ReactJS-based frontend for the Plone Content Management System. Between versions 14.0.0-alpha.5 and 15.0.0-alpha.0, a user could have their authentication cookie replaced with an authentication cookie from another user, effectively giving them control of the other user\u0027s account and privileges. This occurs when using an outdated version of the `react-cookie` library and a server is under high load. A proof of concept does not currently exist, but it is possible for this issue to occur in the wild. The patch and fix is present in Volto 15.0.0-alpha.0. As a workaround, one may manually upgrade the `react-cookie` package to 4.1.1 and then override all Volto components that use this library."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-03-14T22:15:13.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/plone/volto/security/advisories/GHSA-cfhh-xgwq-5r67"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/plone/volto/pull/3051"
}
],
"source": {
"advisory": "GHSA-cfhh-xgwq-5r67",
"discovery": "UNKNOWN"
},
"title": "Improper Authentication in Volto",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-24740",
"STATE": "PUBLIC",
"TITLE": "Improper Authentication in Volto"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "volto",
"version": {
"version_data": [
{
"version_value": "\u003e= 14.0.0-alpha.5, \u003c 15.0.0-alpha.0"
}
]
}
}
]
},
"vendor_name": "plone"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Volto is a ReactJS-based frontend for the Plone Content Management System. Between versions 14.0.0-alpha.5 and 15.0.0-alpha.0, a user could have their authentication cookie replaced with an authentication cookie from another user, effectively giving them control of the other user\u0027s account and privileges. This occurs when using an outdated version of the `react-cookie` library and a server is under high load. A proof of concept does not currently exist, but it is possible for this issue to occur in the wild. The patch and fix is present in Volto 15.0.0-alpha.0. As a workaround, one may manually upgrade the `react-cookie` package to 4.1.1 and then override all Volto components that use this library."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-287: Improper Authentication"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/plone/volto/security/advisories/GHSA-cfhh-xgwq-5r67",
"refsource": "CONFIRM",
"url": "https://github.com/plone/volto/security/advisories/GHSA-cfhh-xgwq-5r67"
},
{
"name": "https://github.com/plone/volto/pull/3051",
"refsource": "MISC",
"url": "https://github.com/plone/volto/pull/3051"
}
]
},
"source": {
"advisory": "GHSA-cfhh-xgwq-5r67",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-24740",
"datePublished": "2022-03-14T22:15:13.000Z",
"dateReserved": "2022-02-10T00:00:00.000Z",
"dateUpdated": "2025-04-23T18:54:04.442Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
FKIE_CVE-2022-24740
Vulnerability from fkie_nvd - Published: 2022-03-14 23:15 - Updated: 2024-11-21 06:50
Severity ?
5.0 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L
7.5 (High) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
Volto is a ReactJS-based frontend for the Plone Content Management System. Between versions 14.0.0-alpha.5 and 15.0.0-alpha.0, a user could have their authentication cookie replaced with an authentication cookie from another user, effectively giving them control of the other user's account and privileges. This occurs when using an outdated version of the `react-cookie` library and a server is under high load. A proof of concept does not currently exist, but it is possible for this issue to occur in the wild. The patch and fix is present in Volto 15.0.0-alpha.0. As a workaround, one may manually upgrade the `react-cookie` package to 4.1.1 and then override all Volto components that use this library.
References
| URL | Tags | ||
|---|---|---|---|
| security-advisories@github.com | https://github.com/plone/volto/pull/3051 | Patch, Third Party Advisory | |
| security-advisories@github.com | https://github.com/plone/volto/security/advisories/GHSA-cfhh-xgwq-5r67 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/plone/volto/pull/3051 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/plone/volto/security/advisories/GHSA-cfhh-xgwq-5r67 | Patch, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| plone | volto | * | |
| plone | volto | 14.0.0 | |
| plone | volto | 14.0.0 | |
| plone | volto | 14.0.0 | |
| plone | volto | 14.0.0 | |
| plone | volto | 14.0.0 | |
| plone | volto | 14.0.0 | |
| plone | volto | 14.0.0 | |
| plone | volto | 14.0.0 | |
| plone | volto | 14.0.0 | |
| plone | volto | 14.0.0 | |
| plone | volto | 14.0.0 | |
| plone | volto | 14.0.0 | |
| plone | volto | 14.0.0 | |
| plone | volto | 14.0.0 | |
| plone | volto | 14.0.0 | |
| plone | volto | 14.0.0 | |
| plone | volto | 14.0.0 | |
| plone | volto | 14.0.0 | |
| plone | volto | 14.0.0 | |
| plone | volto | 14.0.0 | |
| plone | volto | 14.0.0 | |
| plone | volto | 14.0.0 | |
| plone | volto | 14.0.0 | |
| plone | volto | 14.0.0 | |
| plone | volto | 14.0.0 | |
| plone | volto | 14.0.0 | |
| plone | volto | 14.0.0 | |
| plone | volto | 14.0.0 | |
| plone | volto | 14.0.0 | |
| plone | volto | 14.0.0 | |
| plone | volto | 14.0.0 | |
| plone | volto | 14.0.0 | |
| plone | volto | 14.0.0 | |
| plone | volto | 14.0.0 | |
| plone | volto | 14.0.0 | |
| plone | volto | 14.0.0 | |
| plone | volto | 14.0.0 | |
| plone | volto | 14.0.0 | |
| plone | volto | 14.0.0 | |
| plone | volto | 15.0.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:plone:volto:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "2E7BD0E0-F1F4-4BF8-8F28-A854D2913697",
"versionEndIncluding": "14.10.0",
"versionStartIncluding": "14.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:plone:volto:14.0.0:-:*:*:*:node.js:*:*",
"matchCriteriaId": "60B6B474-333B-4990-A3C6-2AE21C35E4FB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:plone:volto:14.0.0:alpha10:*:*:*:node.js:*:*",
"matchCriteriaId": "E2A552C6-510A-4402-8D36-D7A135387BA1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:plone:volto:14.0.0:alpha11:*:*:*:node.js:*:*",
"matchCriteriaId": "1616F781-5110-4CC2-AADD-72F8CE3A9CFF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:plone:volto:14.0.0:alpha12:*:*:*:node.js:*:*",
"matchCriteriaId": "531D33BA-E569-4465-93D9-7C4E09CE68E8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:plone:volto:14.0.0:alpha13:*:*:*:node.js:*:*",
"matchCriteriaId": "BF717E0B-196F-4132-8AFD-7A734D39FB34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:plone:volto:14.0.0:alpha14:*:*:*:node.js:*:*",
"matchCriteriaId": "64AB5576-987F-4762-9C50-E2C5D5E3FDFA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:plone:volto:14.0.0:alpha15:*:*:*:node.js:*:*",
"matchCriteriaId": "133BF4F5-2288-4B40-B54B-1009DD01D895",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:plone:volto:14.0.0:alpha16:*:*:*:node.js:*:*",
"matchCriteriaId": "A4BEF957-A8DE-421B-B720-935E6E6BB9EF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:plone:volto:14.0.0:alpha17:*:*:*:node.js:*:*",
"matchCriteriaId": "F0971799-2693-4030-BD1D-51E40A61199F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:plone:volto:14.0.0:alpha18:*:*:*:node.js:*:*",
"matchCriteriaId": "CD8E68A2-E8E4-40BF-8D49-C07453A0FEDB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:plone:volto:14.0.0:alpha19:*:*:*:node.js:*:*",
"matchCriteriaId": "59CB7B21-5889-46FD-970F-B09FF8D60B13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:plone:volto:14.0.0:alpha20:*:*:*:node.js:*:*",
"matchCriteriaId": "ACE67F50-325E-4462-997E-C0F297CF920D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:plone:volto:14.0.0:alpha21:*:*:*:node.js:*:*",
"matchCriteriaId": "2AA47A36-244F-4654-91AF-98A05D620169",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:plone:volto:14.0.0:alpha22:*:*:*:node.js:*:*",
"matchCriteriaId": "EA571792-AB7B-4A94-96CB-86A829902DC2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:plone:volto:14.0.0:alpha23:*:*:*:node.js:*:*",
"matchCriteriaId": "B6A677A4-1C58-4FF9-A931-76DF96B2784A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:plone:volto:14.0.0:alpha24:*:*:*:node.js:*:*",
"matchCriteriaId": "3CBF93E1-41B3-4CB9-AE37-A714BDEC6B1C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:plone:volto:14.0.0:alpha25:*:*:*:node.js:*:*",
"matchCriteriaId": "EF197A8E-AFA1-4359-BB6E-E0E59786B6D0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:plone:volto:14.0.0:alpha26:*:*:*:node.js:*:*",
"matchCriteriaId": "A9CEACFB-27A7-47D7-BB9F-1BEEF4048693",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:plone:volto:14.0.0:alpha27:*:*:*:node.js:*:*",
"matchCriteriaId": "E20A0DBE-42D8-4B66-B1D2-205FD7704796",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:plone:volto:14.0.0:alpha28:*:*:*:node.js:*:*",
"matchCriteriaId": "0B9F8356-065A-417D-BD35-981619FAEFC6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:plone:volto:14.0.0:alpha29:*:*:*:node.js:*:*",
"matchCriteriaId": "1ABC60C5-DCEA-434F-82DB-3924D9F6F450",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:plone:volto:14.0.0:alpha30:*:*:*:node.js:*:*",
"matchCriteriaId": "C404E110-20A8-4149-A8DA-135E1785E2DD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:plone:volto:14.0.0:alpha31:*:*:*:node.js:*:*",
"matchCriteriaId": "475A2C57-6A5B-4787-92FE-F6D4552744FD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:plone:volto:14.0.0:alpha32:*:*:*:node.js:*:*",
"matchCriteriaId": "171719F9-918D-413F-AB60-5261A4205CEF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:plone:volto:14.0.0:alpha33:*:*:*:node.js:*:*",
"matchCriteriaId": "7241B9C4-277C-43A6-8C32-79677B334EA4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:plone:volto:14.0.0:alpha34:*:*:*:node.js:*:*",
"matchCriteriaId": "5449FA9F-0C01-4259-8B6E-6DAA9F9C5F54",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:plone:volto:14.0.0:alpha35:*:*:*:node.js:*:*",
"matchCriteriaId": "8A76D371-4BDA-4751-B511-FCF99FAEC3E0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:plone:volto:14.0.0:alpha36:*:*:*:node.js:*:*",
"matchCriteriaId": "5DCCE12A-131B-4A2A-9DB3-3DCB252E2FB5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:plone:volto:14.0.0:alpha37:*:*:*:node.js:*:*",
"matchCriteriaId": "E4719B30-4F29-4CD9-9B71-6F4FF000BC17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:plone:volto:14.0.0:alpha38:*:*:*:node.js:*:*",
"matchCriteriaId": "71EFFE80-FEAA-4F6F-AF5C-2CC1F8B1A5D3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:plone:volto:14.0.0:alpha39:*:*:*:node.js:*:*",
"matchCriteriaId": "1F7327CD-E127-44C5-A458-5EF227D154D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:plone:volto:14.0.0:alpha40:*:*:*:node.js:*:*",
"matchCriteriaId": "4CB1DCB6-45C1-40FD-92A0-E14E75D28C05",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:plone:volto:14.0.0:alpha41:*:*:*:node.js:*:*",
"matchCriteriaId": "E30BAF62-8A05-4CEA-95D6-C97E20016019",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:plone:volto:14.0.0:alpha42:*:*:*:node.js:*:*",
"matchCriteriaId": "7F193851-4373-4B00-A12B-9D8C4D9F1475",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:plone:volto:14.0.0:alpha43:*:*:*:node.js:*:*",
"matchCriteriaId": "4D5542A2-3C0B-4B11-B454-4196FD2A6714",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:plone:volto:14.0.0:alpha6:*:*:*:node.js:*:*",
"matchCriteriaId": "2F8AECF3-3092-4C3A-AF90-571C4950F3F2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:plone:volto:14.0.0:alpha7:*:*:*:node.js:*:*",
"matchCriteriaId": "9C3EA246-64F5-4AE9-9C2C-72E1AD329A6E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:plone:volto:14.0.0:alpha8:*:*:*:node.js:*:*",
"matchCriteriaId": "A22D0AAD-C038-42C2-A740-A8B0470E279B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:plone:volto:14.0.0:alpha9:*:*:*:node.js:*:*",
"matchCriteriaId": "6F4F65D0-263E-4DC4-B33A-832A35ADD086",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:plone:volto:15.0.0:alpha0:*:*:*:node.js:*:*",
"matchCriteriaId": "468217AF-833A-4A73-87C5-4BABFB3CE67A",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Volto is a ReactJS-based frontend for the Plone Content Management System. Between versions 14.0.0-alpha.5 and 15.0.0-alpha.0, a user could have their authentication cookie replaced with an authentication cookie from another user, effectively giving them control of the other user\u0027s account and privileges. This occurs when using an outdated version of the `react-cookie` library and a server is under high load. A proof of concept does not currently exist, but it is possible for this issue to occur in the wild. The patch and fix is present in Volto 15.0.0-alpha.0. As a workaround, one may manually upgrade the `react-cookie` package to 4.1.1 and then override all Volto components that use this library."
},
{
"lang": "es",
"value": "Volto es un frontend basado en ReactJS para el Sistema de Administraci\u00f3n de Contenidos Plone. Entre las versiones 14.0.0-alpha.5 y 15.0.0-alpha.0, un usuario pod\u00eda tener su cookie de autenticaci\u00f3n reemplazada por una cookie de autenticaci\u00f3n de otro usuario, d\u00e1ndole efectivamente el control de la cuenta y los privilegios del otro usuario. Esto ocurre cuando es usada una versi\u00f3n obsoleta de la biblioteca \"react-cookie\" y un servidor est\u00e1 bajo alta carga. Actualmente no se presenta una prueba de concepto, pero es posible que este problema ocurra \"in the wild\". El parche y la correcci\u00f3n est\u00e1n presentes en Volto versi\u00f3n 15.0.0-alpha.0. Como medida de mitigaci\u00f3n, puede actualizarse manualmente el paquete \"react-cookie\" a versi\u00f3n 4.1.1 y luego anular todos los componentes de Volto que usen esta biblioteca"
}
],
"id": "CVE-2022-24740",
"lastModified": "2024-11-21T06:50:59.563",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.0,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 3.4,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-03-14T23:15:08.303",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/plone/volto/pull/3051"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/plone/volto/security/advisories/GHSA-cfhh-xgwq-5r67"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/plone/volto/pull/3051"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/plone/volto/security/advisories/GHSA-cfhh-xgwq-5r67"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}