PT-2018-5246 · Plone Foundation · Plone
Published
2018-01-03
·
Updated
2022-05-14
·
CVE-2017-1000481
CVSS v3.1
6.1
Medium
| Vector | AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Plone versions 2.5 through 5.1rc1
Description
The issue allows an attacker to potentially trick users into accessing malicious sites or executing attacker-controlled JavaScript after logging in, by exploiting the redirect mechanism that uses the
came from parameter. Although Plone has measures like the isURLInPortal check to restrict redirects to within the same Plone site, additional methods to bypass these checks were found and addressed.Recommendations
For Plone versions 2.5 through 5.1rc1, apply the provided hotfix to prevent the exploitation of the redirect mechanism.
Fix
Open Redirect
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Plone