Medium severity6.1NVD Advisory· Published Mar 7, 2017· Updated May 13, 2026

CVE-2016-7140

Description

Multiple cross-site scripting (XSS) vulnerabilities in the ZMI page in Zope2 in Plone CMS 5.x through 5.0.6, 4.x through 4.3.11, and 3.3.x through 3.3.6 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
PlonePyPI	>= 5.0a1, < 5.0.7	5.0.7
PlonePyPI	>= 3.3a1, < 4.3.12	4.3.12

Affected products

ghsa-coords
pkg:pypi/plone
Range: >= 5.0a1, < 5.0.7

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.openwall.com/lists/oss-security/2016/09/05/4nvdMailing ListPatchThird Party AdvisoryWEB
www.openwall.com/lists/oss-security/2016/09/05/5nvdMailing ListPatchThird Party AdvisoryWEB
packetstormsecurity.com/files/139110/Plone-CMS-4.3.11-5.0.6-XSS-Traversal-Open-Redirection.htmlnvdExploitThird Party AdvisoryVDB EntryWEB
seclists.org/fulldisclosure/2016/Oct/80nvdThird Party AdvisoryVDB EntryWEB
github.com/advisories/GHSA-chvw-gjxf-f8mcghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2016-7140ghsaADVISORY
plone.org/security/hotfix/20160830/non-persistent-xss-in-zope2nvdVendor AdvisoryWEB
github.com/pypa/advisory-database/tree/main/vulns/plone/PYSEC-2017-63.yamlghsaWEB
www.securityfocus.com/archive/1/539572/100/0/threadednvd
www.securityfocus.com/bid/92752nvd

News mentions

No linked articles in our index yet.

cvss	0.397
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000