CVE-2016-7147

Name of the Vulnerable Software and Affected Versions Plone versions prior to 4.3.12 Plone versions 5.x prior to 5.0.7

Description A cross-site scripting (XSS) issue exists in the manage findResult component of the search feature in Zope ZMI, allowing remote attackers to inject arbitrary web script or HTML via vectors involving double quotes, as demonstrated by the obj ids:tokens parameter.

Recommendations For Plone versions prior to 4.3.12, update to version 4.3.12 or later. For Plone versions 5.x prior to 5.0.7, update to version 5.0.7 or later. As a temporary workaround, consider restricting access to the manage findResult component in the search feature to minimize the risk of exploitation.