PLONE has addressed three critical vulnerabilities in its software, including a Remote Code Execution (RCE) flaw with a CVSS score of 9.9, which allows attackers to execute code on the server through user inputs in the Classic portlet. This vulnerability poses significant risks as any user who can add a Classic portlet can exploit it.
Additionally, two other vulnerabilities, each scoring 9.1, enable denial of service (DoS), server-side request forgery (SSRF), and stored cross-site scripting (XSS) through features in the plone.app.event and plone.app.portlets packages. Affected versions include Plone 6.0, 6.1, and 6.2. Immediate patching of the RCE vulnerability is recommended, with specific version updates outlined for mitigation.