Medium severity4.9NVD Advisory· Published Mar 7, 2017· Updated May 13, 2026
CVE-2016-7135
CVE-2016-7135
Description
Directory traversal vulnerability in Plone CMS 5.x through 5.0.6 and 4.2.x through 4.3.11 allows remote administrators to read arbitrary files via a .. (dot dot) in the path parameter in a getFile action to Plone/++theme++barceloneta/@@plone.resourceeditor.filemanager-actions.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
PlonePyPI | >= 5.0, < 5.0.7 | 5.0.7 |
PlonePyPI | >= 4.2, < 4.3.12 | 4.3.12 |
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
13- www.openwall.com/lists/oss-security/2016/09/05/4nvdMailing ListPatchThird Party AdvisoryWEB
- www.openwall.com/lists/oss-security/2016/09/05/5nvdMailing ListPatchThird Party AdvisoryWEB
- packetstormsecurity.com/files/139110/Plone-CMS-4.3.11-5.0.6-XSS-Traversal-Open-Redirection.htmlnvdExploitThird Party AdvisoryVDB EntryWEB
- seclists.org/fulldisclosure/2016/Oct/80nvdThird Party AdvisoryVDB EntryWEB
- github.com/advisories/GHSA-m7f9-65wr-pwchghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2016-7135ghsaADVISORY
- plone.org/security/hotfix/20160830/filesystem-information-leaknvdVendor AdvisoryWEB
- www.securityfocus.com/archive/1/539572/100/0/threadednvdWEB
- www.securityfocus.com/bid/92752nvdWEB
- github.com/pypa/advisory-database/tree/main/vulns/plone/PYSEC-2017-58.yamlghsaWEB
- pypi.org/project/Products.PloneHotfix20160830ghsaWEB
- web.archive.org/web/20200227230348/http://www.securityfocus.com/bid/92752ghsaWEB
- web.archive.org/web/20201207134911/http://www.securityfocus.com/archive/1/539572/100/0/threadedghsaWEB
News mentions
0No linked articles in our index yet.