CVE-2017-1000481

Name of the Vulnerable Software and Affected Versions Plone versions 2.5 through 5.1rc1

Description The issue allows an attacker to potentially trick users into accessing malicious sites or executing attacker-controlled JavaScript after logging in, by exploiting the redirect mechanism that uses the came from parameter. Although Plone has measures like the isURLInPortal check to restrict redirects to within the same Plone site, additional methods to bypass these checks were found and addressed.

Recommendations For Plone versions 2.5 through 5.1rc1, apply the provided hotfix to prevent the exploitation of the redirect mechanism.