Description

Multiple open redirect vulnerabilities in Plone CMS 5.x through 5.0.6, 4.x through 4.3.11, and 3.3.x through 3.3.6 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the referer parameter to (1) %2b%2bgroupdashboard%2b%2bplone.dashboard1%2bgroup/%2b/portlets.Actions or (2) folder/%2b%2bcontextportlets%2b%2bplone.footerportlets/%2b /portlets.Actions or the (3) came_from parameter to /login_form.

Remediation

References

CVE-2016-7137

Related Vulnerabilities

PHP Improper Input Validation Vulnerability (CVE-2008-7068)

Oracle Database Server Other Vulnerability (CVE-2001-0831)

TYPO3 Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2014-3946)

Magento Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') Vulnerability (CVE-2020-9578)

Oracle Database Server CVE-2019-2547 Vulnerability (CVE-2019-2547)

Severity

Medium

Classification

CVE-2016-7137 CWE-601 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Tags

Missing Update Known Vulnerabilities