CVE-2016-7137
Plone Open Redirect Vulnerability
6.1
MEDIUM
CVSS 3.1
EPSS 0.48%
Description
Multiple open redirect vulnerabilities in Plone CMS 5.x through 5.0.6, 4.x through 4.3.11, and 3.3.x through 3.3.6 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the referer parameter to (1) %2b%2bgroupdashboard%2b%2bplone.dashboard1%2bgroup/%2b/portlets.Actions or (2) folder/%2b%2bcontextportlets%2b%2bplone.footerportlets/%2b /portlets.Actions or the (3) came_from parameter to /login_form.
How to fix CVE-2016-7137
To remediate CVE-2016-7137, upgrade the affected package to a fixed version below.
- —no fix listed
- —upgrade to 5.0.7 or later
Is CVE-2016-7137 being exploited?
Low — EPSS is 0.5%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- >= 5.0, <= 5.0.6
- >= 5.0, < 5.0.7, >= 4.0, < 4.3.12, >= 3.3, < 4.0a1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N |
| osv | CVSS 3.1 | MEDIUM6.1 | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |