PT-2018-5249 · Plone · Plone

Published

2018-01-03

·

Updated

2019-01-04

·

CVE-2017-1000484

CVSS v3.1

6.1

Medium

VectorAV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Name of the Vulnerable Software and Affected Versions Plone versions 2.5 through 5.1rc1
Description The issue allows an attacker to redirect users to their own website by linking to a specific URL in Plone with a parameter. Although this is not severe on its own, it can be combined with another attack to send users to the Plone login form, then to the specific URL, and finally to the attacker's website. The specific URL can be identified by inspecting the hotfix code.
Recommendations For Plone versions 2.5 through 5.1rc1, consider restricting access to the specific URL that can be used for redirection until a patch is available. As a temporary workaround, avoid using the parameter that allows the redirect to the attacker's website.

Fix

Open Redirect

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-601

Related Identifiers

CVE-2017-1000484
GHSA-XVWV-6WVX-PX9X
PYSEC-2018-73

Affected Products

Plone