Medium severity4.9NVD Advisory· Published Mar 7, 2017· Updated Jun 17, 2026
CVE-2016-7135
CVE-2016-7135
Description
Directory traversal vulnerability in Plone CMS 5.x through 5.0.6 and 4.2.x through 4.3.11 allows remote administrators to read arbitrary files via a .. (dot dot) in the path parameter in a getFile action to Plone/++theme++barceloneta/@@plone.resourceeditor.filemanager-actions.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
PlonePyPI | >= 5.0, < 5.0.7 | 5.0.7 |
PlonePyPI | >= 4.2, < 4.3.12 | 4.3.12 |
Affected products
33cpe:2.3:a:plone:plone:4.2:*:*:*:*:*:*:*+ 31 more
- cpe:2.3:a:plone:plone:4.2:*:*:*:*:*:*:*
- cpe:2.3:a:plone:plone:4.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:plone:plone:4.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:plone:plone:4.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:plone:plone:4.2.4:*:*:*:*:*:*:*
- cpe:2.3:a:plone:plone:4.2.5:*:*:*:*:*:*:*
- cpe:2.3:a:plone:plone:4.2.6:*:*:*:*:*:*:*
- cpe:2.3:a:plone:plone:4.2.7:*:*:*:*:*:*:*
- cpe:2.3:a:plone:plone:4.3:*:*:*:*:*:*:*
- cpe:2.3:a:plone:plone:4.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:plone:plone:4.3.10:*:*:*:*:*:*:*
- cpe:2.3:a:plone:plone:4.3.11:*:*:*:*:*:*:*
- cpe:2.3:a:plone:plone:4.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:plone:plone:4.3.3:*:*:*:*:*:*:*
- cpe:2.3:a:plone:plone:4.3.4:*:*:*:*:*:*:*
- cpe:2.3:a:plone:plone:4.3.5:*:*:*:*:*:*:*
- cpe:2.3:a:plone:plone:4.3.6:*:*:*:*:*:*:*
- cpe:2.3:a:plone:plone:4.3.7:*:*:*:*:*:*:*
- cpe:2.3:a:plone:plone:4.3.8:*:*:*:*:*:*:*
- cpe:2.3:a:plone:plone:4.3.9:*:*:*:*:*:*:*
- cpe:2.3:a:plone:plone:5.0:*:*:*:*:*:*:*
- cpe:2.3:a:plone:plone:5.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:plone:plone:5.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:plone:plone:5.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:plone:plone:5.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:plone:plone:5.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:plone:plone:5.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:plone:plone:5.0:a1:*:*:*:*:*:*
- cpe:2.3:a:plone:plone:5.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:plone:plone:5.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:plone:plone:5.0:rc3:*:*:*:*:*:*
- cpe:2.3:a:plone:plone:5.1a1:*:*:*:*:*:*:*
Patches
Vulnerability mechanics
References
13- www.openwall.com/lists/oss-security/2016/09/05/4nvdMailing ListPatchThird Party AdvisoryWEB
- www.openwall.com/lists/oss-security/2016/09/05/5nvdMailing ListPatchThird Party AdvisoryWEB
- packetstormsecurity.com/files/139110/Plone-CMS-4.3.11-5.0.6-XSS-Traversal-Open-Redirection.htmlnvdExploitThird Party AdvisoryVDB EntryWEB
- seclists.org/fulldisclosure/2016/Oct/80nvdThird Party AdvisoryVDB EntryWEB
- github.com/advisories/GHSA-m7f9-65wr-pwchghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2016-7135ghsaADVISORY
- plone.org/security/hotfix/20160830/filesystem-information-leaknvdVendor AdvisoryWEB
- www.securityfocus.com/archive/1/539572/100/0/threadednvdWEB
- www.securityfocus.com/bid/92752nvdWEB
- github.com/pypa/advisory-database/tree/main/vulns/plone/PYSEC-2017-58.yamlghsaWEB
- pypi.org/project/Products.PloneHotfix20160830ghsaWEB
- web.archive.org/web/20200227230348/http://www.securityfocus.com/bid/92752ghsaWEB
- web.archive.org/web/20201207134911/http://www.securityfocus.com/archive/1/539572/100/0/threadedghsaWEB
News mentions
0No linked articles in our index yet.