CVE-2016-7139 — Plone Cross-site Scripting (XSS) vulnerability

Description

Cross-site scripting (XSS) vulnerability in an unspecified page template in Plone CMS 5.x through 5.0.6, 4.x through 4.3.11, and 3.3.x through 3.3.6 allows remote attackers to inject arbitrary web script or HTML via unknown vectors.

How to fix CVE-2016-7139

To remediate CVE-2016-7139, upgrade the affected package to a fixed version below.

PyPI/plone—upgrade to 5.0.6 or later
—upgrade to 5.0.7 or later

Is CVE-2016-7139 being exploited?

Low — EPSS is 0.5%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

>= 5.0, < 5.0.6
>= 5.0, < 5.0.7, >= 4.0, < 4.3.12, >= 3.3, < 4.0a1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
osv	CVSS 3.1	MEDIUM6.1	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References (13)

ADVISORYgithub.com/advisories/GHSA-pp4c-2692-7f37
ADVISORYnvd.nist.gov/vuln/detail/CVE-2016-7139
PATCHgithub.com/plone/Plone
WEBpacketstormsecurity.com/files/139110/Plone-CMS-4.3.11-5.0.6-XSS-Traversal-Open-Redirection.html
WEB