Medium severity6.1NVD Advisory· Published Mar 7, 2017· Updated May 13, 2026
CVE-2016-7137
CVE-2016-7137
Description
Multiple open redirect vulnerabilities in Plone CMS 5.x through 5.0.6, 4.x through 4.3.11, and 3.3.x through 3.3.6 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the referer parameter to (1) %2b%2bgroupdashboard%2b%2bplone.dashboard1%2bgroup/%2b/portlets.Actions or (2) folder/%2b%2bcontextportlets%2b%2bplone.footerportlets/%2b /portlets.Actions or the (3) came_from parameter to /login_form.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
PlonePyPI | >= 5.0, <= 5.0.6 | — |
PlonePyPI | >= 4.0, <= 4.3.11 | — |
PlonePyPI | >= 3.3, <= 3.3.6 | — |
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
12- www.openwall.com/lists/oss-security/2016/09/05/4nvdMailing ListPatchThird Party AdvisoryWEB
- www.openwall.com/lists/oss-security/2016/09/05/5nvdMailing ListPatchThird Party AdvisoryWEB
- packetstormsecurity.com/files/139110/Plone-CMS-4.3.11-5.0.6-XSS-Traversal-Open-Redirection.htmlnvdExploitThird Party AdvisoryVDB EntryWEB
- seclists.org/fulldisclosure/2016/Oct/80nvdThird Party AdvisoryVDB EntryWEB
- github.com/advisories/GHSA-69vh-662j-v988ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2016-7137ghsaADVISORY
- plone.org/security/hotfix/20160830/open-redirection-in-plonenvdVendor AdvisoryWEB
- www.securityfocus.com/archive/1/539572/100/0/threadednvdWEB
- www.securityfocus.com/bid/92752nvdWEB
- github.com/pypa/advisory-database/tree/main/vulns/plone/PYSEC-2017-60.yamlghsaWEB
- web.archive.org/web/20210625091607/http://www.securityfocus.com/bid/92752ghsaWEB
- web.archive.org/web/20210625092107/http://www.securityfocus.com/archive/1/539572/100/0/threadedghsaWEB
News mentions
0No linked articles in our index yet.