JVN#50804280
Plone vulnerable to open redirect
Overview
Plone contains an open redirect vulnerability.
Products Affected
- Plone versions prior to 5.2.5, with versions prior to 1.2.0 of the package "Products.isurlinportal"
Description
Plone provided by Plone Foundation contains an open redirect vulnerability (CWE-601).
Impact
When accessing a specially crafted URL, the user may be redirected to an arbitrary website. As a result, the user may become a victim of a phishing attack.
Solution
Apply the Patch
Apply the patch according to the information provided by the developer.
The developer has released the patch "Products.isurlinportal 1.2.0" for Plone 4.3 and 5 that addresses the vulnerability
According to the developer, Plone 5.2.5 that contains a fix for this vulnerability will be released.
Vendor Status
Vendor | Link |
Plone Foundation | URL Redirection to Untrusted Site ('Open Redirect') in Products.isurlinportal |
Security fix: Products.isurlinportal 1.2.0 | |
Plone |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Credit
Yuji Tounai of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Other Information
JPCERT Alert |
|
JPCERT Reports |
|
CERT Advisory |
|
CPNI Advisory |
|
TRnotes |
|
CVE |
CVE-2021-32806 |
JVN iPedia |
JVNDB-2021-000076 |