1. CVE-Search
  2. CVE-2016-7137
ID CVE-2016-7137
Summary Multiple open redirect vulnerabilities in Plone CMS 5.x through 5.0.6, 4.x through 4.3.11, and 3.3.x through 3.3.6 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the referer parameter to (1) %2b%2bgroupdashboard%2b%2bplone.dashboard1%2bgroup/%2b/portlets.Actions or (2) folder/%2b%2bcontextportlets%2b%2bplone.footerportlets/%2b /portlets.Actions or the (3) came_from parameter to /login_form.
References
Vulnerable Configurations
  • cpe:2.3:a:plone:plone:3.3:*:*:*:*:*:*:*
    cpe:2.3:a:plone:plone:3.3:*:*:*:*:*:*:*
  • cpe:2.3:a:plone:plone:3.3.1:*:*:*:*:*:*:*
    cpe:2.3:a:plone:plone:3.3.1:*:*:*:*:*:*:*
  • cpe:2.3:a:plone:plone:3.3.2:*:*:*:*:*:*:*
    cpe:2.3:a:plone:plone:3.3.2:*:*:*:*:*:*:*
  • cpe:2.3:a:plone:plone:3.3.3:*:*:*:*:*:*:*
    cpe:2.3:a:plone:plone:3.3.3:*:*:*:*:*:*:*
  • cpe:2.3:a:plone:plone:3.3.4:*:*:*:*:*:*:*
    cpe:2.3:a:plone:plone:3.3.4:*:*:*:*:*:*:*
  • cpe:2.3:a:plone:plone:3.3.5:*:*:*:*:*:*:*
    cpe:2.3:a:plone:plone:3.3.5:*:*:*:*:*:*:*
  • cpe:2.3:a:plone:plone:3.3.6:*:*:*:*:*:*:*
    cpe:2.3:a:plone:plone:3.3.6:*:*:*:*:*:*:*
  • cpe:2.3:a:plone:plone:4.0:*:*:*:*:*:*:*
    cpe:2.3:a:plone:plone:4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:plone:plone:4.0.1:*:*:*:*:*:*:*
    cpe:2.3:a:plone:plone:4.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:plone:plone:4.0.2:*:*:*:*:*:*:*
    cpe:2.3:a:plone:plone:4.0.2:*:*:*:*:*:*:*
  • cpe:2.3:a:plone:plone:4.0.3:*:*:*:*:*:*:*
    cpe:2.3:a:plone:plone:4.0.3:*:*:*:*:*:*:*
  • cpe:2.3:a:plone:plone:4.0.4:*:*:*:*:*:*:*
    cpe:2.3:a:plone:plone:4.0.4:*:*:*:*:*:*:*
  • cpe:2.3:a:plone:plone:4.0.5:*:*:*:*:*:*:*
    cpe:2.3:a:plone:plone:4.0.5:*:*:*:*:*:*:*
  • cpe:2.3:a:plone:plone:4.0.7:*:*:*:*:*:*:*
    cpe:2.3:a:plone:plone:4.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:plone:plone:4.0.8:*:*:*:*:*:*:*
    cpe:2.3:a:plone:plone:4.0.8:*:*:*:*:*:*:*
  • cpe:2.3:a:plone:plone:4.0.9:*:*:*:*:*:*:*
    cpe:2.3:a:plone:plone:4.0.9:*:*:*:*:*:*:*
  • cpe:2.3:a:plone:plone:4.0.10:*:*:*:*:*:*:*
    cpe:2.3:a:plone:plone:4.0.10:*:*:*:*:*:*:*
  • cpe:2.3:a:plone:plone:4.1:*:*:*:*:*:*:*
    cpe:2.3:a:plone:plone:4.1:*:*:*:*:*:*:*
  • cpe:2.3:a:plone:plone:4.1.1:*:*:*:*:*:*:*
    cpe:2.3:a:plone:plone:4.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:plone:plone:4.1.2:*:*:*:*:*:*:*
    cpe:2.3:a:plone:plone:4.1.2:*:*:*:*:*:*:*
  • cpe:2.3:a:plone:plone:4.1.3:*:*:*:*:*:*:*
    cpe:2.3:a:plone:plone:4.1.3:*:*:*:*:*:*:*
  • cpe:2.3:a:plone:plone:4.1.4:*:*:*:*:*:*:*
    cpe:2.3:a:plone:plone:4.1.4:*:*:*:*:*:*:*
  • cpe:2.3:a:plone:plone:4.1.5:*:*:*:*:*:*:*
    cpe:2.3:a:plone:plone:4.1.5:*:*:*:*:*:*:*
  • cpe:2.3:a:plone:plone:4.1.6:*:*:*:*:*:*:*
    cpe:2.3:a:plone:plone:4.1.6:*:*:*:*:*:*:*
  • cpe:2.3:a:plone:plone:4.2:*:*:*:*:*:*:*
    cpe:2.3:a:plone:plone:4.2:*:*:*:*:*:*:*
  • cpe:2.3:a:plone:plone:4.2.1:*:*:*:*:*:*:*
    cpe:2.3:a:plone:plone:4.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:plone:plone:4.2.2:*:*:*:*:*:*:*
    cpe:2.3:a:plone:plone:4.2.2:*:*:*:*:*:*:*
  • cpe:2.3:a:plone:plone:4.2.3:*:*:*:*:*:*:*
    cpe:2.3:a:plone:plone:4.2.3:*:*:*:*:*:*:*
  • cpe:2.3:a:plone:plone:4.2.4:*:*:*:*:*:*:*
    cpe:2.3:a:plone:plone:4.2.4:*:*:*:*:*:*:*
  • cpe:2.3:a:plone:plone:4.2.5:*:*:*:*:*:*:*
    cpe:2.3:a:plone:plone:4.2.5:*:*:*:*:*:*:*
  • cpe:2.3:a:plone:plone:4.2.6:*:*:*:*:*:*:*
    cpe:2.3:a:plone:plone:4.2.6:*:*:*:*:*:*:*
  • cpe:2.3:a:plone:plone:4.2.7:*:*:*:*:*:*:*
    cpe:2.3:a:plone:plone:4.2.7:*:*:*:*:*:*:*
  • cpe:2.3:a:plone:plone:4.3:*:*:*:*:*:*:*
    cpe:2.3:a:plone:plone:4.3:*:*:*:*:*:*:*
  • cpe:2.3:a:plone:plone:4.3.1:*:*:*:*:*:*:*
    cpe:2.3:a:plone:plone:4.3.1:*:*:*:*:*:*:*
  • cpe:2.3:a:plone:plone:4.3.2:*:*:*:*:*:*:*
    cpe:2.3:a:plone:plone:4.3.2:*:*:*:*:*:*:*
  • cpe:2.3:a:plone:plone:4.3.3:*:*:*:*:*:*:*
    cpe:2.3:a:plone:plone:4.3.3:*:*:*:*:*:*:*
  • cpe:2.3:a:plone:plone:4.3.4:*:*:*:*:*:*:*
    cpe:2.3:a:plone:plone:4.3.4:*:*:*:*:*:*:*
  • cpe:2.3:a:plone:plone:4.3.5:*:*:*:*:*:*:*
    cpe:2.3:a:plone:plone:4.3.5:*:*:*:*:*:*:*
  • cpe:2.3:a:plone:plone:4.3.6:*:*:*:*:*:*:*
    cpe:2.3:a:plone:plone:4.3.6:*:*:*:*:*:*:*
  • cpe:2.3:a:plone:plone:4.3.7:*:*:*:*:*:*:*
    cpe:2.3:a:plone:plone:4.3.7:*:*:*:*:*:*:*
  • cpe:2.3:a:plone:plone:4.3.8:*:*:*:*:*:*:*
    cpe:2.3:a:plone:plone:4.3.8:*:*:*:*:*:*:*
  • cpe:2.3:a:plone:plone:4.3.9:*:*:*:*:*:*:*
    cpe:2.3:a:plone:plone:4.3.9:*:*:*:*:*:*:*
  • cpe:2.3:a:plone:plone:4.3.10:*:*:*:*:*:*:*
    cpe:2.3:a:plone:plone:4.3.10:*:*:*:*:*:*:*
  • cpe:2.3:a:plone:plone:4.3.11:*:*:*:*:*:*:*
    cpe:2.3:a:plone:plone:4.3.11:*:*:*:*:*:*:*
  • cpe:2.3:a:plone:plone:5.0:*:*:*:*:*:*:*
    cpe:2.3:a:plone:plone:5.0:*:*:*:*:*:*:*
  • cpe:2.3:a:plone:plone:5.0:a1:*:*:*:*:*:*
    cpe:2.3:a:plone:plone:5.0:a1:*:*:*:*:*:*
  • cpe:2.3:a:plone:plone:5.0:rc1:*:*:*:*:*:*
    cpe:2.3:a:plone:plone:5.0:rc1:*:*:*:*:*:*
  • cpe:2.3:a:plone:plone:5.0:rc2:*:*:*:*:*:*
    cpe:2.3:a:plone:plone:5.0:rc2:*:*:*:*:*:*
  • cpe:2.3:a:plone:plone:5.0:rc3:*:*:*:*:*:*
    cpe:2.3:a:plone:plone:5.0:rc3:*:*:*:*:*:*
  • cpe:2.3:a:plone:plone:5.0.1:*:*:*:*:*:*:*
    cpe:2.3:a:plone:plone:5.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:plone:plone:5.0.2:*:*:*:*:*:*:*
    cpe:2.3:a:plone:plone:5.0.2:*:*:*:*:*:*:*
  • cpe:2.3:a:plone:plone:5.0.3:*:*:*:*:*:*:*
    cpe:2.3:a:plone:plone:5.0.3:*:*:*:*:*:*:*
  • cpe:2.3:a:plone:plone:5.0.4:*:*:*:*:*:*:*
    cpe:2.3:a:plone:plone:5.0.4:*:*:*:*:*:*:*
  • cpe:2.3:a:plone:plone:5.0.5:*:*:*:*:*:*:*
    cpe:2.3:a:plone:plone:5.0.5:*:*:*:*:*:*:*
  • cpe:2.3:a:plone:plone:5.0.6:*:*:*:*:*:*:*
    cpe:2.3:a:plone:plone:5.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:plone:plone:5.1a1:*:*:*:*:*:*:*
    cpe:2.3:a:plone:plone:5.1a1:*:*:*:*:*:*:*
CVSS
Base: 5.8 (as of 09-10-2018 - 20:00)
Impact:
Exploitability:
CWE CWE-601
CAPEC
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL NONE
cvss-vector via4 AV:N/AC:M/Au:N/C:P/I:P/A:N
refmap via4
bid 92752
bugtraq 20161012 Multiple Vulnerabilities in Plone CMS
confirm https://plone.org/security/hotfix/20160830/open-redirection-in-plone
fulldisc 20161019 Multiple Vulnerabilities in Plone CMS
misc http://packetstormsecurity.com/files/139110/Plone-CMS-4.3.11-5.0.6-XSS-Traversal-Open-Redirection.html
mlist [oss-security] 20160905 Re: CVE request: Plone multiple vulnerabilities
Last major update 09-10-2018 - 20:00
Published 07-03-2017 - 16:59
Last modified 09-10-2018 - 20:00
Back to Top