CVE-2016-7137
MEDIUM6.1EPSS 0.48%Plone Open Redirect Vulnerability
發布日:2022/5/14修改日:2024/10/15
描述
Multiple open redirect vulnerabilities in Plone CMS 5.x through 5.0.6, 4.x through 4.3.11, and 3.3.x through 3.3.6 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the referer parameter to (1) `%2b%2bgroupdashboard%2b%2bplone.dashboard1%2bgroup/%2b/portlets.Actions` or (2) `folder/%2b%2bcontextportlets%2b%2bplone.footerportlets/%2b /portlets.Actions` or the (3) `came_from` parameter to `/login_form`.
受影響套件(2)
- PyPI/plone>= 5.0, <= 5.0.6
- PyPI/plone>= 5.0, < 5.0.7, >= 4.0, < 4.3.12, >= 3.3, < 4.0a1
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N |
| osv | CVSS 3.1 | MEDIUM6.1 | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
參考連結(12)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2016-7137
- PATCHhttps://github.com/plone/Plone
- WEBhttp://packetstormsecurity.com/files/139110/Plone-CMS-4.3.11-5.0.6-XSS-Traversal-Open-Redirection.html
- WEBhttp://seclists.org/fulldisclosure/2016/Oct/80
- WEBhttps://github.com/pypa/advisory-database/tree/main/vulns/plone/PYSEC-2017-60.yaml
- WEBhttps://plone.org/security/hotfix/20160830/open-redirection-in-plone
- WEBhttps://web.archive.org/web/20210625091607/http://www.securityfocus.com/bid/92752
- WEBhttps://web.archive.org/web/20210625092107/http://www.securityfocus.com/archive/1/539572/100/0/threaded
- WEBhttp://www.openwall.com/lists/oss-security/2016/09/05/4
- WEBhttp://www.openwall.com/lists/oss-security/2016/09/05/5
- WEBhttp://www.securityfocus.com/archive/1/539572/100/0/threaded
- WEBhttp://www.securityfocus.com/bid/92752