CVE-2020-7936
Description
An open redirect on the login form (and possibly other places) in Plone 4.0 through 5.2.1 allows an attacker to craft a link to a Plone Site that, when followed, and possibly after login, will redirect to an attacker's site.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An open redirect vulnerability in Plone 4.0 through 5.2.1 allows an attacker to craft a login link that redirects users to a malicious site after authentication.
Vulnerability
Plone versions 4.0 through 5.2.1 contain an open redirect vulnerability on the login form and potentially other locations where redirects are performed [1][3]. The vulnerability arises because the isURLInPortal check, which is designed to prevent redirects to external sites, can be bypassed to accept malicious links [3].
Exploitation
An attacker can craft a link to a Plone site that, when followed and after the user logs in, redirects the user to an attacker-controlled site [1]. The attack does not require authentication before the redirect; the user only needs to follow the crafted link and authenticate on the legitimate Plone site [1]. The vulnerability is present in all supported Plone versions and likely also affects earlier, unsupported versions [3].
Impact
Successful exploitation can lead to phishing attacks, where users are tricked into visiting a malicious site after logging in, potentially exposing credentials or other sensitive information [1][3]. The redirect could also be used for open redirect attacks, such as those used in social engineering or to bypass URL-based security controls.
Mitigation
A security hotfix (20200121) was released on January 21, 2020, to address this issue, along with other security vulnerabilities [3][4]. Users should apply the hotfix immediately or upgrade to a patched version. The CVE identifier for this specific open redirect is CVE-2020-7936 [4]. No workarounds are mentioned beyond applying the patch.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
PlonePyPI | >= 4.0, < 4.3.20 | 4.3.20 |
PlonePyPI | >= 5.0rc1, < 5.1.7 | 5.1.7 |
PlonePyPI | >= 5.2.0, < 5.2.2 | 5.2.2 |
Affected products
2- Plone/Plonedescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- github.com/advisories/GHSA-82j9-wfcf-9v2hghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-7936ghsaADVISORY
- www.openwall.com/lists/oss-security/2020/01/24/1ghsamailing-listx_refsource_MLISTWEB
- github.com/pypa/advisory-database/tree/main/vulns/plone/PYSEC-2020-85.yamlghsaWEB
- plone.org/security/hotfix/20200121ghsax_refsource_MISCWEB
- plone.org/security/hotfix/20200121/an-open-redirection-on-the-login-form-and-possibly-other-placesghsax_refsource_MISCWEB
- www.openwall.com/lists/oss-security/2020/01/22/1ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.