Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS02OXZoLTY2Mmotdjk4OM4AAV-F

Plone Open Redirect Vulnerability

Multiple open redirect vulnerabilities in Plone CMS 5.x through 5.0.6, 4.x through 4.3.11, and 3.3.x through 3.3.6 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the referer parameter to (1) %2b%2bgroupdashboard%2b%2bplone.dashboard1%2bgroup/%2b/portlets.Actions or (2) folder/%2b%2bcontextportlets%2b%2bplone.footerportlets/%2b /portlets.Actions or the (3) came_from parameter to /login_form.

Permalink: https://github.com/advisories/GHSA-69vh-662j-v988
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS02OXZoLTY2Mmotdjk4OM4AAV-F
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 2 years ago
Updated: 5 months ago

CVSS Score: 6.1
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Identifiers: GHSA-69vh-662j-v988, CVE-2016-7137
References:

• https://nvd.nist.gov/vuln/detail/CVE-2016-7137
• https://plone.org/security/hotfix/20160830/open-redirection-in-plone
• http://packetstormsecurity.com/files/139110/Plone-CMS-4.3.11-5.0.6-XSS-Traversal-Open-Redirection.html
• http://seclists.org/fulldisclosure/2016/Oct/80
• http://www.openwall.com/lists/oss-security/2016/09/05/4
• http://www.openwall.com/lists/oss-security/2016/09/05/5
• https://web.archive.org/web/20210625091607/http://www.securityfocus.com/bid/92752
• https://web.archive.org/web/20210625092107/http://www.securityfocus.com/archive/1/539572/100/0/threaded
• https://github.com/advisories/GHSA-69vh-662j-v988

Blast Radius: 5.2

Affected Packages