CVE-2017-1000484

Name of the Vulnerable Software and Affected Versions Plone versions 2.5 through 5.1rc1

Description The issue allows an attacker to redirect users to their own website by linking to a specific URL in Plone with a parameter. Although this is not severe on its own, it can be combined with another attack to send users to the Plone login form, then to the specific URL, and finally to the attacker's website. The specific URL can be identified by inspecting the hotfix code.

Recommendations For Plone versions 2.5 through 5.1rc1, consider restricting access to the specific URL that can be used for redirection until a patch is available. As a temporary workaround, avoid using the parameter that allows the redirect to the attacker's website.