CVE-2016-7137

EUVD-2017-0093

07.03.2017, 16:59

Multiple open redirect vulnerabilities in Plone CMS 5.x through 5.0.6, 4.x through 4.3.11, and 3.3.x through 3.3.6 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the referer parameter to (1) %2b%2bgroupdashboard%2b%2bplone.dashboard1%2bgroup/%2b/portlets.Actions or (2) folder/%2b%2bcontextportlets%2b%2bplone.footerportlets/%2b /portlets.Actions or the (3) came_from parameter to /login_form.

Open Redirect

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	6.1 MEDIUM	NETWORK	LOW	NONE	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 64%

Affected Products (NVD)

Vendor	Product	Version
plone	plone	3.3
plone	plone	3.3.1
plone	plone	3.3.2
plone	plone	3.3.3
plone	plone	3.3.4
plone	plone	3.3.5
plone	plone	3.3.6
plone	plone	4.0
plone	plone	4.0.1
plone	plone	4.0.2
plone	plone	4.0.3
plone	plone	4.0.4
plone	plone	4.0.5
plone	plone	4.0.7
plone	plone	4.0.8
plone	plone	4.0.9
plone	plone	4.0.10
plone	plone	4.1
plone	plone	4.1.1
plone	plone	4.1.2
plone	plone	4.1.3
plone	plone	4.1.4
plone	plone	4.1.5
plone	plone	4.1.6
plone	plone	4.2
plone	plone	4.2.1
plone	plone	4.2.2
plone	plone	4.2.3
plone	plone	4.2.4
plone	plone	4.2.5
plone	plone	4.2.6
plone	plone	4.2.7
plone	plone	4.3
plone	plone	4.3.1
plone	plone	4.3.2
plone	plone	4.3.3
plone	plone	4.3.4
plone	plone	4.3.5
plone	plone	4.3.6
plone	plone	4.3.7
plone	plone	4.3.8
plone	plone	4.3.9
plone	plone	4.3.10
plone	plone	4.3.11
plone	plone	5.0
plone	plone	5.0:a1
plone	plone	5.0:rc1
plone	plone	5.0:rc2
plone	plone	5.0:rc3
plone	plone	5.0.1
plone	plone	5.0.2
plone	plone	5.0.3
plone	plone	5.0.4
plone	plone	5.0.5
plone	plone	5.0.6
plone	plone	5.1a1:a1