JVN#50804280
Plone vulnerable to open redirect
Overview
Plone contains an open redirect vulnerability.
Products Affected
- Plone versions prior to 5.2.5, with versions prior to 1.2.0 of the package "Products.isurlinportal"
Description
Plone provided by Plone Foundation contains an open redirect vulnerability (CWE-601).
Impact
When accessing a specially crafted URL, the user may be redirected to an arbitrary website. As a result, the user may become a victim of a phishing attack.
Solution
Apply the Patch
Apply the patch according to the information provided by the developer.
The developer has released the patch "Products.isurlinportal 1.2.0" for Plone 4.3 and 5 that addresses the vulnerability
According to the developer, Plone 5.2.5 that contains a fix for this vulnerability will be released.
Vendor Status
| Vendor | Link |
| Plone Foundation | URL Redirection to Untrusted Site ('Open Redirect') in Products.isurlinportal |
| Security fix: Products.isurlinportal 1.2.0 | |
| Plone |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Credit
Yuji Tounai of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2021-32806 |
| JVN iPedia |
JVNDB-2021-000076 |