CVE-2016-7137
MEDIUM6.1EPSS 0.48%Plone Open Redirect Vulnerability
Published: 5/14/2022Modified: 10/15/2024
Description
Multiple open redirect vulnerabilities in Plone CMS 5.x through 5.0.6, 4.x through 4.3.11, and 3.3.x through 3.3.6 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the referer parameter to (1) `%2b%2bgroupdashboard%2b%2bplone.dashboard1%2bgroup/%2b/portlets.Actions` or (2) `folder/%2b%2bcontextportlets%2b%2bplone.footerportlets/%2b /portlets.Actions` or the (3) `came_from` parameter to `/login_form`.
Affected packages (2)
- PyPI/plone>= 5.0, <= 5.0.6
- PyPI/plone>= 5.0, < 5.0.7, >= 4.0, < 4.3.12, >= 3.3, < 4.0a1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N |
| osv | CVSS 3.1 | MEDIUM6.1 | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
References (12)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2016-7137
- PATCHhttps://github.com/plone/Plone
- WEBhttp://packetstormsecurity.com/files/139110/Plone-CMS-4.3.11-5.0.6-XSS-Traversal-Open-Redirection.html
- WEBhttp://seclists.org/fulldisclosure/2016/Oct/80
- WEBhttps://github.com/pypa/advisory-database/tree/main/vulns/plone/PYSEC-2017-60.yaml
- WEBhttps://plone.org/security/hotfix/20160830/open-redirection-in-plone
- WEBhttps://web.archive.org/web/20210625091607/http://www.securityfocus.com/bid/92752
- WEBhttps://web.archive.org/web/20210625092107/http://www.securityfocus.com/archive/1/539572/100/0/threaded
- WEBhttp://www.openwall.com/lists/oss-security/2016/09/05/4
- WEBhttp://www.openwall.com/lists/oss-security/2016/09/05/5
- WEBhttp://www.securityfocus.com/archive/1/539572/100/0/threaded
- WEBhttp://www.securityfocus.com/bid/92752